Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1761 OpenHPI config files should NEVER store clear-text passwords

3.4.0
closed-duplicate
Anton Pak
5
2013-10-21
2012-09-07
sixwags
No

Under no circumstances should ascii/text files contain passwords in a directly readable, clear-text, format. This is considered a major violation of security by service providers. Network service providers have been disallowing clear-text passwords for several years. OpenHPI needs to conform to this as it is being used in service providers network equipment. We have encountered this several times and the service providers demand fixes to avoid the clear-text passwords in configuration, log, or any ascii/text files. We discovered clear-text passwords in:
/etc/openhpi/openhpi.conf

As a solution, any passwords stored in configuration files should be encrypted and salted [for salting, see e.g. http://en.wikipedia.org/wiki/Salt_\(cryptography)]

Tom Wagner; Alcatel-Lucent; Email: tom.wagner at alcatel-lucent.com

Discussion

  • dr_mohan
    dr_mohan
    2013-10-21

    • status: open --> closed-duplicate
    • 3.4.0: --> 3.4.0
     
  • dr_mohan
    dr_mohan
    2013-10-21

    Duplicate of bug #1759 and feature request 697
    It was closed-fixed with checkins

     
    Last edit: dr_mohan 2013-10-21
  • Tariq Shureih
    Tariq Shureih
    2013-10-21

    *ATTENTION**
    This account is disabled and is no longer accessed by the recipient.
    Please remove it from your address book.

    Thanks