lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Ceph

Cephcloud2 credentials

Credentials2 documented
01

CephX Client Keyring

ceph / cephx-keyring

Ceph users authenticate with secret keys stored in keyrings. Ceph documents that clients specify a user name and a keyring containing the secret key, and that client.admin is assumed if no user is specified.

generated on installsecretsecret value

Looks like

pattern
pattern

Ceph keyring secret key assignment

key\s*=\s*[A-Za-z0-9+/=]{20,}

Location

config file
/etc/ceph/*.keyring, ceph.client.*.keyring

Ceph client keyring files containing user names and secret keys

environment
CEPH_ARGS

can specify user and keyring arguments for Ceph clients

secret store

Kubernetes Secrets, Rook secrets, cloud secret managers, and deployment vaults

source code

accidentally committed keyrings, test clusters, and deployment manifests

artifact

host backups, VM images, and container images containing /etc/ceph

logs

command history, debugging output, and CI traces

Notes

Keyrings are bearer-like secrets for Ceph capabilities. client.admin keys are highly privileged.

02

RADOS Gateway S3 Access / Secret Key

ceph / radosgw-s3-key

Ceph Object Gateway users can have S3-style access keys and secret keys. These credentials authenticate S3 clients to RGW and are managed as Ceph object gateway user credentials.

generated on installsecretAPI key

Looks like

pattern
pattern

S3-style access key pattern; RGW access keys can also be opaque deployment-specific strings

AKIA[0-9A-Z]{16}

Location

config file

s3 client config, rclone config, application .env files, and deployment manifests

environment
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, RGW_ACCESS_KEY, RGW_SECRET_KEY
secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and object-store vault entries

source code

S3 client scripts, tests, and accidentally committed configs

logs

S3 client debug logs and CI output

http header
Authorization

S3 Signature authentication headers derived from access and secret keys

Notes

RGW key blast radius depends on the user's bucket and capability grants.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.