Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: <jer...@li...> - 2006-08-25 14:48:44
|
In complex company, root for a specific computer do not alwars know all=20 passwords and don't have all power. Certificates can solve this problem by adding a limitation in time for=20 example. Behind this simple question, most of softwares use now certificates=20 mechanism. Why do not just give webmin users the choice between certificates or=20 plain text ? __________________________ http://www.lo2k.net Hamid Hashemi a =E9crit : > You are saying that there is no security for that but there is ! As=20 > Jamie said the files are readable by root only. and if you think that=20 > someone who can access the root files will have problem decoding the=20 > passwords are stored in these files, then you are wrong ! > We have to work on the files security instead of encoding the password=20 > with some mechanism which can be decoded easily. > > _Hamid > > J=E9r=F4me Wax wrote: >>>> It could at least be encrypted with a private key and then decrypted= =20 >>>> inside Webmin to pass to the other systems. This would add to the=20 >>>> inconvenience of abusing the password, should it be viewed, but any=20 >>>> impression of this being a secure solution is an illusion. >>>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>>> credential which could be copied and abused. >>>> It's an intractable problem. >>>> --r >>>> =20 >>>> =20 >>> Private keys are a one way incription mechanism. You have to know the= =20 >>> original password, and then encrypt it with the public key to see if = the=20 >>> result is the same. In our case, we want a method that will allow web= min=20 >>> to know the password. There is no simple anwer here. If Webmin encryp= ts=20 >>> the password, then any potential hacker can use the encrypription met= hod=20 >>> from Webmin to retrieve it. Just a waste of time. >>> =20 >>> =20 >> You close your door after leaving your home but any people can open it= =20 >> with right tools. >> If you let it open, people are encouraged to enter... >> >> Poor protection is better than none. >> =20 |
