Page MenuHomeVyOS Platform

strip-private doesn't strip string after "secret"
Closed, ResolvedPublicBUG

Description

# show | strip-private| match secret
                 secret someactualstring

should not happen

Details

Version
1.5
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Do you have any example of in which context that exists?

According to https://github.com/vyos/vyos-1x/blob/current/src/helpers/strip-private.py OpenVPN and IPsec secrets should already be stripped:

# Strip OpenVPN secrets
(True, re.compile(r'(shared-secret-key-file|ca-cert-file|cert-file|dh-file|key-file|client) (\S+)'), r'\1 xxxxxx'),
# Strip IPSEC secrets
(True, re.compile(r'pre-shared-secret \S+'), 'pre-shared-secret xxxxxx'),

Yup, VPN site to site authentication credentials are stored as "secret" hence the patch.

(20:39) cpo lnx01:~/vyos-1x [current] # git grep \"secret\" interface-definitions/
interface-definitions/vpn-ipsec.xml.in:                  <leafNode name="secret">
interface-definitions/vpn-l2tp.xml.in:                          <leafNode name="secret">
dmbaturin claimed this task.