lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache ZooKeeper

Apache Software Foundationmiddleware4 credentials

Credentials4 documented
01

Digest ACL Username / Password

apache-zookeeper / digest-acl-credential

ZooKeeper ACLs support the digest scheme, which uses a username:password string to generate an ACL identity. ZooKeeper documents that authentication is performed by sending username:password and ACLs store the username with a base64-encoded SHA1 password digest.

user definedsecretusername/password

Looks like

pattern
pattern

ZooKeeper digest ACL identity containing username and base64 SHA1 password digest

digest:[^:\s]+:[A-Za-z0-9+/=]+
pattern

ZooKeeper CLI digest authentication command with username:password

addauth\s+digest\s+[^:\s]+:[^\s]+

Location

database

ZooKeeper znodes storing ACLs with digest identities

config file

client config, application config, JAAS files, and deployment manifests

secret store

Kubernetes Secrets, cloud secret managers, and platform vault entries

source code

ZooKeeper client code, tests, scripts, and committed configs

logs

client debug logs, command history, and ACL troubleshooting output

public interface
ZooKeeper client port 2181

Notes

Digest credentials protect znodes according to ACL permissions. Avoid sending digest username:password over untrusted networks without TLS.

02

SASL / JAAS Secret

apache-zookeeper / sasl-jaas-secret

ZooKeeper supports pluggable authentication and SASL configuration. JAAS files used by ZooKeeper servers and clients can contain usernames, passwords, keytabs, or other mechanism-specific secret material.

user definedsecretusername/password

Looks like

pattern
pattern

JAAS option containing username or password in ZooKeeper SASL configuration

(?:username|password)=\"[^\"\r\n]+\"

Location

config file
jaas.conf, zoo.cfg, java.env

ZooKeeper server/client JAAS and authentication configuration

environment
JVMFLAGS, SERVER_JVMFLAGS, CLIENT_JVMFLAGS

Java system properties pointing to JAAS config or auth settings

secret store

Kerberos keytabs, Kubernetes Secrets, cloud secret managers, and deployment vaults

source code

deployment manifests, Helm charts, tests, and committed JAAS configs

logs

startup logs and SASL authentication debug traces

Notes

Depending on mechanism, the credential may be a password, Kerberos keytab, or service principal secret.

03

TLS Keystore / Truststore Password

apache-zookeeper / tls-keystore-password

ZooKeeper TLS settings include keyStore and trustStore locations and passwords for client and quorum TLS connections. ZooKeeper documents ssl.keyStore.password and ssl.quorum.keyStore.password configuration.

user definedsecretpassword

Looks like

pattern
pattern

ZooKeeper Java system property for TLS keystore or truststore password

zookeeper\.ssl\.(?:keyStore|trustStore)\.password=[^\s]+
pattern

ZooKeeper configuration file TLS store password

ssl\.(?:keyStore|trustStore)\.password\s*=\s*[^\r\n]+

Location

config file
zoo.cfg, java.env, JVM system properties

ZooKeeper TLS keystore and truststore configuration

secret store

Java keystores, Kubernetes Secrets, cloud secret managers, and deployment vaults

source code

Helm charts, Docker Compose files, and committed config

image

ensemble images containing keystores and config

logs

TLS startup and troubleshooting output

Notes

Keystore passwords can unlock private keys used for ZooKeeper client or quorum TLS authentication.

04

Super Digest

apache-zookeeper / super-digest

ZooKeeper can configure a super user digest for administrative access. The superDigest value is secret-equivalent because it grants elevated ACL bypass behavior to clients authenticating as the configured super user.

user definedsecretsecret value

Looks like

pattern
pattern

ZooKeeper superDigest Java system property

zookeeper\.DigestAuthenticationProvider\.superDigest=[^\s]+

Location

config file

zoo.cfg, java.env, service unit files, and JVM system properties

environment
JVMFLAGS, SERVER_JVMFLAGS
secret store

configuration management vaults and Kubernetes Secrets

source code

deployment scripts and committed ensemble config

logs

process listings, startup logs, and service manager output

Notes

superDigest should be treated as highly privileged administrative secret material, not as a normal application password.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.