Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Dov Z. <do...@za...> - 2006-08-25 13:56:54
|
????? Hamid Hashemi: > You are saying that there is no security for that but there is ! As=20 > Jamie said the files are readable by root only. and if you think that=20 > someone who can access the root files will have problem decoding the=20 > passwords are stored in these files, then you are wrong ! > We have to work on the files security instead of encoding the password=20 > with some mechanism which can be decoded easily. > My point exactly. The conf file with the password is not like an open=20 door. Only a hacker with intent to jepordise the system will know that=20 there is a password there. And if he got that far, the system is=20 jepodised already. Encrypting the password will have no effect. Just=20 ensuring the proper permissions and using built in security measures=20 should be enough. There is no real reason to apply more security=20 specifiaclly for this password. > _Hamid > > J=E9r=F4me Wax wrote: >>>> It could at least be encrypted with a private key and then decrypted= =20 >>>> inside Webmin to pass to the other systems. This would add to the=20 >>>> inconvenience of abusing the password, should it be viewed, but any=20 >>>> impression of this being a secure solution is an illusion. >>>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>>> credential which could be copied and abused. >>>> It's an intractable problem. >>>> --r >>>> =20 >>>> =20 >>> Private keys are a one way incription mechanism. You have to know the= =20 >>> original password, and then encrypt it with the public key to see if = the=20 >>> result is the same. In our case, we want a method that will allow web= min=20 >>> to know the password. There is no simple anwer here. If Webmin encryp= ts=20 >>> the password, then any potential hacker can use the encrypription met= hod=20 >>> from Webmin to retrieve it. Just a waste of time. >>> =20 >>> =20 >> You close your door after leaving your home but any people can open it= =20 >> with right tools. >> If you let it open, people are encouraged to enter... >> >> Poor protection is better than none. >> >> ___________________________ >> http://www.lo2k.net >> >> >> ----------------------------------------------------------------------= --- >> Using Tomcat but need to do more? Need to support web services, securi= ty? >> Get stuff done quickly with pre-integrated technology to make your job= easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Gero= nimo >> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&da= t=3D121642 >> - >> Forwarded by the Webmin mailing list at web...@li...= e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> =20 > > --=20 > Regards > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > / Seyyed Hamid Reza / WINDOWS FOR NOW !! / > / Hashemi Golpayegani / Linux for future , FreeBSD for ever / > / Morva System Co. / ------------------------------------- / > / Network Administrator/ ha...@mo... , ICQ# : 42209876 / > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20 > !DSPAM:500,44ef000946381804284693! > -----------------------------------------------------------------------= - > > -----------------------------------------------------------------------= -- > Using Tomcat but need to do more? Need to support web services, securit= y? > Get stuff done quickly with pre-integrated technology to make your job = easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > > !DSPAM:500,44ef000946381804284693! > =20 > -----------------------------------------------------------------------= - > > - > Forwarded by the Webmin mailing list at web...@li...= .net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > !DSPAM:500,44ef000946381804284693! > =20 |
