Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Dov Z. <do...@za...> - 2006-08-25 13:22:42
|
=D7=A6=D7=99=D7=98=D7=95=D7=98 J=C3=A9r=C3=B4me Wax: > >>> It could at least be encrypted with a private key and then decrypted=20 >>> inside Webmin to pass to the other systems. This would add to the=20 >>> inconvenience of abusing the password, should it be viewed, but any=20 >>> impression of this being a secure solution is an illusion. >>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>> credential which could be copied and abused. >>> It's an intractable problem. >>> --r >>> =20 >> Private keys are a one way incription mechanism. You have to know the=20 >> original password, and then encrypt it with the public key to see if=20 >> the result is the same. In our case, we want a method that will allow=20 >> webmin to know the password. There is no simple anwer here. If Webmin=20 >> encrypts the password, then any potential hacker can use the=20 >> encrypription method from Webmin to retrieve it. Just a waste of time. >> =20 > You close your door after leaving your home but any people can open it=20 > with right tools. > If you let it open, people are encouraged to enter... > > Poor protection is better than none. Not really. Poor protection gives a false sense of security. At least=20 you know what the risks are when you leave your door open. |
