Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Hamid H. <ha...@mo...> - 2006-08-25 13:49:42
|
You are saying that there is no security for that but there is ! As Jamie said the files are readable by root only. and if you think that someone who can access the root files will have problem decoding the passwords are stored in these files, then you are wrong ! We have to work on the files security instead of encoding the password with some mechanism which can be decoded easily. _Hamid Jérôme Wax wrote: >>> It could at least be encrypted with a private key and then decrypted >>> inside Webmin to pass to the other systems. This would add to the >>> inconvenience of abusing the password, should it be viewed, but any >>> impression of this being a secure solution is an illusion. >>> Even using asymmetric keys, as in ssh, Webmin would still hold some >>> credential which could be copied and abused. >>> It's an intractable problem. >>> --r >>> >>> >> Private keys are a one way incription mechanism. You have to know the >> original password, and then encrypt it with the public key to see if the >> result is the same. In our case, we want a method that will allow webmin >> to know the password. There is no simple anwer here. If Webmin encrypts >> the password, then any potential hacker can use the encrypription method >> from Webmin to retrieve it. Just a waste of time. >> >> > You close your door after leaving your home but any people can open it > with right tools. > If you let it open, people are encouraged to enter... > > Poor protection is better than none. > > ___________________________ > http://www.lo2k.net > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > -- Regards ================================================================= / Seyyed Hamid Reza / WINDOWS FOR NOW !! / / Hashemi Golpayegani / Linux for future , FreeBSD for ever / / Morva System Co. / ------------------------------------- / / Network Administrator/ ha...@mo... , ICQ# : 42209876 / ================================================================ |
