Re: [webmin-l] Webmin security risk!

[Russ F. <ru...@to...>]

On 25 Aug 2006, at 15:48, J=E9r=F4me Wax wrote:

> In complex company, root for a specific computer do not alwars know =20=

> all
> passwords and don't have all power.
>
> Certificates can solve this problem by adding a limitation in time for
> example.
>
> Behind this simple question, most of softwares use now certificates
> mechanism.
>
> Why do not just give webmin users the choice between certificates or
> plain text ?
>
> __________________________
> http://www.lo2k.net
>
> Hamid Hashemi a =E9crit :
>> You are saying that there is no security for that but there is ! As
>> Jamie said the files are readable by root only. and if you think that
>> someone who can access the root files will have problem decoding the
>> passwords are stored in these files, then you are wrong !
>> We have to work on the files security instead of encoding the =20
>> password
>> with some mechanism which can be decoded easily.
>>
>> _Hamid
>>
>> J=E9r=F4me Wax wrote:
>>>>> It could at least be encrypted with a private key and then =20
>>>>> decrypted
>>>>> inside Webmin to pass to the other systems. This would add to the
>>>>> inconvenience of abusing the password, should it be viewed, but =20=

>>>>> any
>>>>> impression of this being a secure solution is an illusion.
>>>>> Even using asymmetric keys, as in ssh, Webmin would still hold =20
>>>>> some
>>>>> credential which could be copied and abused.
>>>>> It's an intractable problem.
>>>>> --r
>>>>>
>>>>>
>>>> Private keys are a one way incription mechanism. You have to =20
>>>> know the
>>>> original password, and then encrypt it with the public key to =20
>>>> see if the
>>>> result is the same. In our case, we want a method that will =20
>>>> allow webmin
>>>> to know the password. There is no simple anwer here. If Webmin =20
>>>> encrypts
>>>> the password, then any potential hacker can use the =20
>>>> encrypription method
>>>> from Webmin to retrieve it. Just a waste of time.
>>>>
>>>>
>>> You close your door after leaving your home but any people can =20
>>> open it
>>> with right tools.
>>> If you let it open, people are encouraged to enter...
>>>
>>> Poor protection is better than none.

Perhaps I should not have started on this topic. Everyone is an =20
expert on security, and sometimes they don't even mind violently =20
agreeing with the previous poster ;^) , but the point is that webmin =20
is in this case not authenticating in incoming transaction, but needs =20=

to be authenticated to an external system. In order to do that, it =20
needs, a key, a password, a token, whatever, and once it has such, =20
there is potential for abuse.

As someone stated, only root can read the file. Therefore the risk =20
occurs only if the 'client' system is compromised. So there should be =20=

nothing to worry about. The comment about private keys being a one-=20
way encryption mechanism is way off. Restating my original position, =20
simple reversible encryption of the password might provide some peace =20=

of mind to those adminstrators who go around  opening files while =20
others are looking over their shoulders, perhaps working on system =20
admin while at the pub. But this is a not a real security measure. =20
Just a fig-leaf. But sometimes a fig-leaf is good enough.

My vote would be to spend time on other aspects of security.

Thanks to Jamie Cameron and all who have contributed to the success =20
of Webmin.

Best wishes,
may peace be upon us.

--r
Russ Ferriday - Topia Systems - multilingual content management
contact: ru...@to... - (+44) (0)2076 1777588 - skype: ferriday
a member of the
evenios group