Cisco Bug: CSCum00147 - SWIM need non-admin CARS user & stores credential w/ symetric encryption
Aug 04, 2015
- Cisco Prime Infrastructure
Known Affected Releases
Symptom: Currently PI has the sshd running which will also provide sftp/scp service. The credential of the PI server needs to be provided by user (Admin -> System Settings -> ImageManagement) and is stored in the preferences. This has following issues: 1) The production servers will have only CARS admin account. This user account, instead of normal bash/csh/sh, runs carssh which provide IOS cli like interface. sftp/scp does not work with this user accounts. User can create a root or other user accounts with normal shell but that is generally discouraged and not allowed in FIPS mode. 2) The sftp/scp user will have access to entire file system. Like the ftpuser, it should have access only to restricted directories. 3) Storing any user credentials using two-way encryption is security violation. Any user crendetial should be stored with one-way hashing or should be taken from the user as and when required. Conditions: CIDS device packages uses SFTP/SCP service. The device will acts as a client and initiates the connection to PI server to transfer files. For these device packages to work, it requires that SFTP/SCP service is running in PI server and application should pass the username/credential to the device package.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases