Guest

Preview Tool

Cisco Bug: CSCum00147 - SWIM need non-admin CARS user & stores credential w/ symetric encryption

Last Modified

Aug 04, 2015

Products (1)

  • Cisco Prime Infrastructure

Known Affected Releases

2.0(1.0) 2.1

Description (partial)

Symptom:
Currently PI has the sshd running which will also provide sftp/scp service. The credential of the PI server needs to be provided by user (Admin -> System Settings -> ImageManagement) and is stored in the preferences. This has following issues:

1) The production servers will have only CARS admin account. This user account, instead of normal bash/csh/sh, runs carssh which provide IOS cli like interface. sftp/scp does not work with this user accounts. User can create a root or other user accounts with normal shell but that is generally discouraged and not allowed in FIPS mode.

2) The sftp/scp user will have access to entire file system. Like the ftpuser, it should have access only to restricted directories.

3) Storing any user credentials using two-way encryption is security violation. Any user crendetial should be stored with one-way hashing or should be taken from the user as and when required.

Conditions:
CIDS device packages uses SFTP/SCP service. The device will acts as a client and initiates the connection to PI server to transfer files. For these device packages to work, it requires that SFTP/SCP service is running in PI server and application should pass the username/credential to the device package.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.