Menu
▾
▴
webadmin-list
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-24 12:07:11
|
Hi, I noticed that webmin stores passwords unencrypted in its configuration files. This is a security risk. If someone manage to find any vulnerability to read those files, he won't need to waste any time trying to crack them which is a serious issue. -- Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
|
From: Jamie C. <jca...@we...> - 2006-08-24 15:38:11
|
On 24/Aug/2006 05:07 Munzir Taha (=?utf-8?q?=D9=85=D9=86=D8=B0=D8=B1?= =?utf-8?q?_=D8=B7=D9=87?=) wrote .. > Hi, > I noticed that webmin stores passwords unencrypted in its configuration > files. This is a security risk. If someone manage to find any vulnerability to > read those files, he won't need to waste any time trying to crack them which > is a serious issue. That is true - in some cases, Webmin needs to store passwords (like the mysql login) in a file. This is needed because connecting to mysql requires knowledge of the plain text password. Fortunately, the mysql and postgresql modules are the only two I can think of that have this requirement. And the files are only readable by root, so there is no security risk from normal users.. - Jamie |
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-25 05:29:42
|
On Thursday 24 August 2006 18:38, Jamie Cameron wrote: > On 24/Aug/2006 05:07 Munzir Taha wrote .. > > > Hi, > > I noticed that webmin stores passwords unencrypted in its configuration > > files. This is a security risk. If someone manage to find any > > vulnerability to read those files, he won't need to waste any time trying > > to crack them which is a serious issue. > > That is true - in some cases, Webmin needs to store passwords (like the > mysql login) in a file. This is needed because connecting to mysql requires > knowledge of the plain text password. That's fine with me. After all one can secure mysql to to only accept connections from localhost. > Fortunately, the mysql and postgresql modules are the only two I can think > of that have this requirement. The real problem is having the root password on this file /etc/webmin/servers/1108941386.serv May be this is because I am monitoring another server from webmin. > And the files are only readable by root, so > there is no security risk from normal users.. As I read the vulnerability discovered in webmin 1.29- would allow any anonymous user to read any system file whatever the permissions are. In such cases the administrator need some time to provide the patch. Afterall, this is why the system root password is not only kept in non-readable by everyone shadow file but also kept encrypted. Keep up the good work. -- Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
|
From: Jamie C. <jca...@we...> - 2006-08-25 05:47:53
|
On 24/Aug/2006 22:30 Munzir Taha (=?utf-8?q?=D9=85=D9=86=D8=B0=D8=B1?= =?utf-8?q?_=D8=B7=D9=87?=) wrote .. > On Thursday 24 August 2006 18:38, Jamie Cameron wrote: > > On 24/Aug/2006 05:07 Munzir Taha wrote .. > > > > > Hi, > > > I noticed that webmin stores passwords unencrypted in its configuration > > > files. This is a security risk. If someone manage to find any > > > vulnerability to read those files, he won't need to waste any time > trying > > > to crack them which is a serious issue. > > > > That is true - in some cases, Webmin needs to store passwords (like the > > mysql login) in a file. This is needed because connecting to mysql requires > > knowledge of the plain text password. > > That's fine with me. After all one can secure mysql to to only accept > connections from localhost. > > > Fortunately, the mysql and postgresql modules are the only two I can > think > > of that have this requirement. > > The real problem is having the root password on this file > /etc/webmin/servers/1108941386.serv > May be this is because I am monitoring another server from webmin. That's right .. the master Webmin needs to store the password of the other server. > > And the files are only readable by root, so > > there is no security risk from normal users.. > > As I read the vulnerability discovered in webmin 1.29- would allow any > anonymous user to read any system file whatever the permissions are. In > such cases the administrator need some time to provide the patch. Afterall, > this is why the system root password is not only kept in non-readable by everyone > shadow file but also kept encrypted. Keeping it one-way encrypted like in the shadow file is OK for validating users, but not for automatically logging into other systems like Webmin does.. - Jamie |
|
From: Barry <we...@i1...> - 2006-08-25 06:49:11
|
Am I crazy if I wanted to use FC5 rpms to want to update a CentOS 4.3 system? Current candidates include dovecot and php. the system is x86_64, and yum is not showing the latest and greatest. Probably not because of the x86_64 part but because of the RHEL 4 part, huh? Best, Barry |
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-25 11:00:10
|
On Friday 25 August 2006 08:47, Jamie Cameron wrote: > On 24/Aug/2006 22:30 Munzir Taha wrote .. > > > On Thursday 24 August 2006 18:38, Jamie Cameron wrote: > > > On 24/Aug/2006 05:07 Munzir Taha wrote .. > > > > > The real problem is having the root password on this file > > /etc/webmin/servers/1108941386.serv > > May be this is because I am monitoring another server from webmin. > > That's right .. the master Webmin needs to store the password of the > other server. > > > > And the files are only readable by root, so > > > there is no security risk from normal users.. > > > > As I read the vulnerability discovered in webmin 1.29- would allow any > > anonymous user to read any system file whatever the permissions are. In > > such cases the administrator need some time to provide the patch. > > Afterall, this is why the system root password is not only kept in > > non-readable by everyone shadow file but also kept encrypted. > > Keeping it one-way encrypted like in the shadow file is OK for validating > users, but not for automatically logging into other systems like Webmin > does.. I don't know how webmin works but isn't there there any way to encrypt it while not losing webmin features? -- Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
|
From: Russ F. <ru...@to...> - 2006-08-25 11:51:41
|
On 25 Aug 2006, at 11:59, Munzir Taha (=D9=85=D9=86=D8=B0=D8=B1 =D8=B7=D9=87= ) wrote: > On Friday 25 August 2006 08:47, Jamie Cameron wrote: >> On 24/Aug/2006 22:30 Munzir Taha wrote .. >> >>> On Thursday 24 August 2006 18:38, Jamie Cameron wrote: >>>> On 24/Aug/2006 05:07 Munzir Taha wrote .. >>>> > >>> The real problem is having the root password on this file >>> /etc/webmin/servers/1108941386.serv >>> May be this is because I am monitoring another server from webmin. >> >> That's right .. the master Webmin needs to store the password of the >> other server. >> >>>> And the files are only readable by root, so >>>> there is no security risk from normal users.. >>> >>> As I read the vulnerability discovered in webmin 1.29- would =20 >>> allow any >>> anonymous user to read any system file whatever the permissions =20 >>> are. In >>> such cases the administrator need some time to provide the patch. >>> Afterall, this is why the system root password is not only kept in >>> non-readable by everyone shadow file but also kept encrypted. >> >> Keeping it one-way encrypted like in the shadow file is OK for =20 >> validating >> users, but not for automatically logging into other systems like =20 >> Webmin >> does.. > > I don't know how webmin works but isn't there there any way to =20 > encrypt it > while not losing webmin features? It could at least be encrypted with a private key and then decrypted =20 inside Webmin to pass to the other systems. This would add to the =20 inconvenience of abusing the password, should it be viewed, but any =20 impression of this being a secure solution is an illusion. Even using asymmetric keys, as in ssh, Webmin would still hold some =20 credential which could be copied and abused. It's an intractable problem. --r Russ Ferriday - Topia Systems - multilingual content management contact: ru...@to... - (+44) (0)2076 1777588 - skype: ferriday a member of the evenios group |
|
From: Dov Z. <do...@za...> - 2006-08-25 12:30:32
|
=D7=A6=D7=99=D7=98=D7=95=D7=98 Russ Ferriday: > On 25 Aug 2006, at 11:59, Munzir Taha (=D9=85=D9=86=D8=B0=D8=B1 =D8=B7=D9= =87) wrote: > >> On Friday 25 August 2006 08:47, Jamie Cameron wrote: >>> On 24/Aug/2006 22:30 Munzir Taha wrote .. >>> >>>> On Thursday 24 August 2006 18:38, Jamie Cameron wrote: >>>>> On 24/Aug/2006 05:07 Munzir Taha wrote .. >>>>> >> >>>> The real problem is having the root password on this file >>>> /etc/webmin/servers/1108941386.serv >>>> May be this is because I am monitoring another server from webmin. >>> >>> That's right .. the master Webmin needs to store the password of the >>> other server. >>> >>>>> And the files are only readable by root, so >>>>> there is no security risk from normal users.. >>>> >>>> As I read the vulnerability discovered in webmin 1.29- would allow a= ny >>>> anonymous user to read any system file whatever the permissions are.= In >>>> such cases the administrator need some time to provide the patch. >>>> Afterall, this is why the system root password is not only kept in >>>> non-readable by everyone shadow file but also kept encrypted. >>> >>> Keeping it one-way encrypted like in the shadow file is OK for=20 >>> validating >>> users, but not for automatically logging into other systems like Webm= in >>> does.. >> >> I don't know how webmin works but isn't there there any way to=20 >> encrypt it=20 >> while not losing webmin features? > > It could at least be encrypted with a private key and then decrypted=20 > inside Webmin to pass to the other systems. This would add to the=20 > inconvenience of abusing the password, should it be viewed, but any=20 > impression of this being a secure solution is an illusion. > Even using asymmetric keys, as in ssh, Webmin would still hold some=20 > credential which could be copied and abused. > It's an intractable problem. > --r Private keys are a one way incription mechanism. You have to know the=20 original password, and then encrypt it with the public key to see if the=20 result is the same. In our case, we want a method that will allow webmin=20 to know the password. There is no simple anwer here. If Webmin encrypts=20 the password, then any potential hacker can use the encrypription method=20 from Webmin to retrieve it. Just a waste of time. |
|
From: <jer...@li...> - 2006-08-25 13:19:25
|
>> It could at least be encrypted with a private key and then decrypted >> inside Webmin to pass to the other systems. This would add to the >> inconvenience of abusing the password, should it be viewed, but any >> impression of this being a secure solution is an illusion. >> Even using asymmetric keys, as in ssh, Webmin would still hold some >> credential which could be copied and abused. >> It's an intractable problem. >> --r >> > Private keys are a one way incription mechanism. You have to know the > original password, and then encrypt it with the public key to see if the > result is the same. In our case, we want a method that will allow webmin > to know the password. There is no simple anwer here. If Webmin encrypts > the password, then any potential hacker can use the encrypription method > from Webmin to retrieve it. Just a waste of time. > You close your door after leaving your home but any people can open it with right tools. If you let it open, people are encouraged to enter... Poor protection is better than none. ___________________________ http://www.lo2k.net |
|
From: Dov Z. <do...@za...> - 2006-08-25 13:22:42
|
=D7=A6=D7=99=D7=98=D7=95=D7=98 J=C3=A9r=C3=B4me Wax: > >>> It could at least be encrypted with a private key and then decrypted=20 >>> inside Webmin to pass to the other systems. This would add to the=20 >>> inconvenience of abusing the password, should it be viewed, but any=20 >>> impression of this being a secure solution is an illusion. >>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>> credential which could be copied and abused. >>> It's an intractable problem. >>> --r >>> =20 >> Private keys are a one way incription mechanism. You have to know the=20 >> original password, and then encrypt it with the public key to see if=20 >> the result is the same. In our case, we want a method that will allow=20 >> webmin to know the password. There is no simple anwer here. If Webmin=20 >> encrypts the password, then any potential hacker can use the=20 >> encrypription method from Webmin to retrieve it. Just a waste of time. >> =20 > You close your door after leaving your home but any people can open it=20 > with right tools. > If you let it open, people are encouraged to enter... > > Poor protection is better than none. Not really. Poor protection gives a false sense of security. At least=20 you know what the risks are when you leave your door open. |
|
From: Hamid H. <ha...@mo...> - 2006-08-25 13:49:42
|
You are saying that there is no security for that but there is ! As Jamie said the files are readable by root only. and if you think that someone who can access the root files will have problem decoding the passwords are stored in these files, then you are wrong ! We have to work on the files security instead of encoding the password with some mechanism which can be decoded easily. _Hamid Jérôme Wax wrote: >>> It could at least be encrypted with a private key and then decrypted >>> inside Webmin to pass to the other systems. This would add to the >>> inconvenience of abusing the password, should it be viewed, but any >>> impression of this being a secure solution is an illusion. >>> Even using asymmetric keys, as in ssh, Webmin would still hold some >>> credential which could be copied and abused. >>> It's an intractable problem. >>> --r >>> >>> >> Private keys are a one way incription mechanism. You have to know the >> original password, and then encrypt it with the public key to see if the >> result is the same. In our case, we want a method that will allow webmin >> to know the password. There is no simple anwer here. If Webmin encrypts >> the password, then any potential hacker can use the encrypription method >> from Webmin to retrieve it. Just a waste of time. >> >> > You close your door after leaving your home but any people can open it > with right tools. > If you let it open, people are encouraged to enter... > > Poor protection is better than none. > > ___________________________ > http://www.lo2k.net > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > -- Regards ================================================================= / Seyyed Hamid Reza / WINDOWS FOR NOW !! / / Hashemi Golpayegani / Linux for future , FreeBSD for ever / / Morva System Co. / ------------------------------------- / / Network Administrator/ ha...@mo... , ICQ# : 42209876 / ================================================================ |
|
From: Dov Z. <do...@za...> - 2006-08-25 13:56:54
|
????? Hamid Hashemi: > You are saying that there is no security for that but there is ! As=20 > Jamie said the files are readable by root only. and if you think that=20 > someone who can access the root files will have problem decoding the=20 > passwords are stored in these files, then you are wrong ! > We have to work on the files security instead of encoding the password=20 > with some mechanism which can be decoded easily. > My point exactly. The conf file with the password is not like an open=20 door. Only a hacker with intent to jepordise the system will know that=20 there is a password there. And if he got that far, the system is=20 jepodised already. Encrypting the password will have no effect. Just=20 ensuring the proper permissions and using built in security measures=20 should be enough. There is no real reason to apply more security=20 specifiaclly for this password. > _Hamid > > J=E9r=F4me Wax wrote: >>>> It could at least be encrypted with a private key and then decrypted= =20 >>>> inside Webmin to pass to the other systems. This would add to the=20 >>>> inconvenience of abusing the password, should it be viewed, but any=20 >>>> impression of this being a secure solution is an illusion. >>>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>>> credential which could be copied and abused. >>>> It's an intractable problem. >>>> --r >>>> =20 >>>> =20 >>> Private keys are a one way incription mechanism. You have to know the= =20 >>> original password, and then encrypt it with the public key to see if = the=20 >>> result is the same. In our case, we want a method that will allow web= min=20 >>> to know the password. There is no simple anwer here. If Webmin encryp= ts=20 >>> the password, then any potential hacker can use the encrypription met= hod=20 >>> from Webmin to retrieve it. Just a waste of time. >>> =20 >>> =20 >> You close your door after leaving your home but any people can open it= =20 >> with right tools. >> If you let it open, people are encouraged to enter... >> >> Poor protection is better than none. >> >> ___________________________ >> http://www.lo2k.net >> >> >> ----------------------------------------------------------------------= --- >> Using Tomcat but need to do more? Need to support web services, securi= ty? >> Get stuff done quickly with pre-integrated technology to make your job= easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Gero= nimo >> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&da= t=3D121642 >> - >> Forwarded by the Webmin mailing list at web...@li...= e.net >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> =20 > > --=20 > Regards > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > / Seyyed Hamid Reza / WINDOWS FOR NOW !! / > / Hashemi Golpayegani / Linux for future , FreeBSD for ever / > / Morva System Co. / ------------------------------------- / > / Network Administrator/ ha...@mo... , ICQ# : 42209876 / > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20 > !DSPAM:500,44ef000946381804284693! > -----------------------------------------------------------------------= - > > -----------------------------------------------------------------------= -- > Using Tomcat but need to do more? Need to support web services, securit= y? > Get stuff done quickly with pre-integrated technology to make your job = easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 > > !DSPAM:500,44ef000946381804284693! > =20 > -----------------------------------------------------------------------= - > > - > Forwarded by the Webmin mailing list at web...@li...= .net > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > !DSPAM:500,44ef000946381804284693! > =20 |
|
From: <jer...@li...> - 2006-08-25 14:48:44
|
In complex company, root for a specific computer do not alwars know all=20 passwords and don't have all power. Certificates can solve this problem by adding a limitation in time for=20 example. Behind this simple question, most of softwares use now certificates=20 mechanism. Why do not just give webmin users the choice between certificates or=20 plain text ? __________________________ http://www.lo2k.net Hamid Hashemi a =E9crit : > You are saying that there is no security for that but there is ! As=20 > Jamie said the files are readable by root only. and if you think that=20 > someone who can access the root files will have problem decoding the=20 > passwords are stored in these files, then you are wrong ! > We have to work on the files security instead of encoding the password=20 > with some mechanism which can be decoded easily. > > _Hamid > > J=E9r=F4me Wax wrote: >>>> It could at least be encrypted with a private key and then decrypted= =20 >>>> inside Webmin to pass to the other systems. This would add to the=20 >>>> inconvenience of abusing the password, should it be viewed, but any=20 >>>> impression of this being a secure solution is an illusion. >>>> Even using asymmetric keys, as in ssh, Webmin would still hold some=20 >>>> credential which could be copied and abused. >>>> It's an intractable problem. >>>> --r >>>> =20 >>>> =20 >>> Private keys are a one way incription mechanism. You have to know the= =20 >>> original password, and then encrypt it with the public key to see if = the=20 >>> result is the same. In our case, we want a method that will allow web= min=20 >>> to know the password. There is no simple anwer here. If Webmin encryp= ts=20 >>> the password, then any potential hacker can use the encrypription met= hod=20 >>> from Webmin to retrieve it. Just a waste of time. >>> =20 >>> =20 >> You close your door after leaving your home but any people can open it= =20 >> with right tools. >> If you let it open, people are encouraged to enter... >> >> Poor protection is better than none. >> =20 |
|
From: Jamie C. <jca...@we...> - 2006-08-25 17:12:24
|
Even a cert wouldn't help in this case, as again Webmin would need to be able to read that cert, and thus so could an attacker. If someone has root access on a Webmin system that is controlling other slaves (via the Webmin Servers Index module and cluster featues), even if some amazing form of security prevents him from getting the password, he could still do nasty things by changing the code on the master system to send malicious commands to slaves when a legitimate user uses the master. - Jamie On 25/Aug/2006 07:48 =3D?ISO-8859-1?Q?J=3DE9r=3DF4me_Wax?=3D wrote .. > In complex company, root for a specific computer do not alwars know all > passwords and don't have all power. > > Certificates can solve this problem by adding a limitation in time for > example. > > Behind this simple question, most of softwares use now certificates > mechanism. > > Why do not just give webmin users the choice between certificates or > plain text ? > > __________________________ > http://www.lo2k.net > > Hamid Hashemi a =E9crit : > > You are saying that there is no security for that but there is ! As > > Jamie said the files are readable by root only. and if you think that > > someone who can access the root files will have problem decoding the > > passwords are stored in these files, then you are wrong ! > > We have to work on the files security instead of encoding the password > > with some mechanism which can be decoded easily. > > > > _Hamid > > > > J=E9r=F4me Wax wrote: > >>>> It could at least be encrypted with a private key and then decrypted > >>>> inside Webmin to pass to the other systems. This would add to the > >>>> inconvenience of abusing the password, should it be viewed, but any > >>>> impression of this being a secure solution is an illusion. > >>>> Even using asymmetric keys, as in ssh, Webmin would still hold some > >>>> credential which could be copied and abused. > >>>> It's an intractable problem. > >>>> --r > >>>> > >>>> > >>> Private keys are a one way incription mechanism. You have to know the > >>> original password, and then encrypt it with the public key to see if > the > >>> result is the same. In our case, we want a method that will allow webmin > >>> to know the password. There is no simple anwer here. If Webmin encrypts > >>> the password, then any potential hacker can use the encrypription method > >>> from Webmin to retrieve it. Just a waste of time. > >>> > >>> > >> You close your door after leaving your home but any people can open > it > >> with right tools. > >> If you let it open, people are encouraged to enter... > >> > >> Poor protection is better than none. > >> > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D121642 > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |
|
From: Russ F. <ru...@to...> - 2006-08-25 17:41:49
|
On 25 Aug 2006, at 15:48, J=E9r=F4me Wax wrote: > In complex company, root for a specific computer do not alwars know =20= > all > passwords and don't have all power. > > Certificates can solve this problem by adding a limitation in time for > example. > > Behind this simple question, most of softwares use now certificates > mechanism. > > Why do not just give webmin users the choice between certificates or > plain text ? > > __________________________ > http://www.lo2k.net > > Hamid Hashemi a =E9crit : >> You are saying that there is no security for that but there is ! As >> Jamie said the files are readable by root only. and if you think that >> someone who can access the root files will have problem decoding the >> passwords are stored in these files, then you are wrong ! >> We have to work on the files security instead of encoding the =20 >> password >> with some mechanism which can be decoded easily. >> >> _Hamid >> >> J=E9r=F4me Wax wrote: >>>>> It could at least be encrypted with a private key and then =20 >>>>> decrypted >>>>> inside Webmin to pass to the other systems. This would add to the >>>>> inconvenience of abusing the password, should it be viewed, but =20= >>>>> any >>>>> impression of this being a secure solution is an illusion. >>>>> Even using asymmetric keys, as in ssh, Webmin would still hold =20 >>>>> some >>>>> credential which could be copied and abused. >>>>> It's an intractable problem. >>>>> --r >>>>> >>>>> >>>> Private keys are a one way incription mechanism. You have to =20 >>>> know the >>>> original password, and then encrypt it with the public key to =20 >>>> see if the >>>> result is the same. In our case, we want a method that will =20 >>>> allow webmin >>>> to know the password. There is no simple anwer here. If Webmin =20 >>>> encrypts >>>> the password, then any potential hacker can use the =20 >>>> encrypription method >>>> from Webmin to retrieve it. Just a waste of time. >>>> >>>> >>> You close your door after leaving your home but any people can =20 >>> open it >>> with right tools. >>> If you let it open, people are encouraged to enter... >>> >>> Poor protection is better than none. Perhaps I should not have started on this topic. Everyone is an =20 expert on security, and sometimes they don't even mind violently =20 agreeing with the previous poster ;^) , but the point is that webmin =20 is in this case not authenticating in incoming transaction, but needs =20= to be authenticated to an external system. In order to do that, it =20 needs, a key, a password, a token, whatever, and once it has such, =20 there is potential for abuse. As someone stated, only root can read the file. Therefore the risk =20 occurs only if the 'client' system is compromised. So there should be =20= nothing to worry about. The comment about private keys being a one-=20 way encryption mechanism is way off. Restating my original position, =20 simple reversible encryption of the password might provide some peace =20= of mind to those adminstrators who go around opening files while =20 others are looking over their shoulders, perhaps working on system =20 admin while at the pub. But this is a not a real security measure. =20 Just a fig-leaf. But sometimes a fig-leaf is good enough. My vote would be to spend time on other aspects of security. Thanks to Jamie Cameron and all who have contributed to the success =20 of Webmin. Best wishes, may peace be upon us. --r Russ Ferriday - Topia Systems - multilingual content management contact: ru...@to... - (+44) (0)2076 1777588 - skype: ferriday a member of the evenios group |
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-25 14:17:56
|
On Friday 25 August 2006 16:22, Dov Zamir wrote: > =D7=A6=D7=99=D7=98=D7=95=D7=98 J=C3=A9r=C3=B4me Wax: > > You close your door after leaving your home but any people can open it > > with right tools. > > If you let it open, people are encouraged to enter... > > > > Poor protection is better than none. > > Not really. Poor protection gives a false sense of security. At least > you know what the risks are when you leave your door open. I'd love it if you told me where is you home located to see whether you do= =20 what you believe in ;) =2D-=20 Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
|
From: Dov Z. <do...@za...> - 2006-08-25 14:22:10
|
=D7=A6=D7=99=D7=98=D7=95=D7=98 Munzir Taha (=D9=85=D9=86=D8=B0=D8=B1 =D8=B7= =D9=87): > On Friday 25 August 2006 16:22, Dov Zamir wrote: > =20 >> =D7=A6=D7=99=D7=98=D7=95=D7=98 J=C3=A9r=C3=B4me Wax: >> =20 > > =20 >>> You close your door after leaving your home but any people can open i= t >>> with right tools. >>> If you let it open, people are encouraged to enter... >>> >>> Poor protection is better than none. >>> =20 >> Not really. Poor protection gives a false sense of security. At least >> you know what the risks are when you leave your door open. >> =20 > > I'd love it if you told me where is you home located to see whether you= do=20 > what you believe in ;) > > =20 Now you are misunderstanding. I do not preach no security, but rather=20 good security. What I'm saying is that bad security is worse than no=20 security. And yes, I do lock my door when I leave home. |
|
From: Andreas M. <and...@sb...> - 2006-08-30 10:45:41
|
Jamie Cameron schrieb: > On 24/Aug/2006 22:30 Munzir Taha (=?utf-8?q?=D9=85=D9=86=D8=B0=D8=B1?= =?utf-8?q?_=D8=B7=D9=87?=) wrote .. >>The real problem is having the root password on this file >>/etc/webmin/servers/1108941386.serv >>May be this is because I am monitoring another server from webmin. > > > That's right .. the master Webmin needs to store the password of the > other server. Hello, is this the password for webmin or the root password of the other server ? Does webmin connect to the remote server through the webmin port or does it direct call scripts/apps on the other server ? Bye Andreas |
|
From: Jamie C. <jca...@we...> - 2006-08-30 16:06:10
|
On 30/Aug/2006 03:45 Andreas Moroder wrote .. > Jamie Cameron schrieb: > > On 24/Aug/2006 22:30 Munzir Taha (=?utf-8?q?=D9=85=D9=86=D8=B0=D8=B1?= > =?utf-8?q?_=D8=B7=D9=87?=) wrote .. > >>The real problem is having the root password on this file > >>/etc/webmin/servers/1108941386.serv > >>May be this is because I am monitoring another server from webmin. > > > > > > That's right .. the master Webmin needs to store the password of the > > other server. > Hello, > > is this the password for webmin or the root password of the other server It is the Webmin password (which may be the same as the root password). > ? Does webmin connect to the remote server through the webmin port or > does it direct call scripts/apps on the other server ? The connection is made via the webmin port, using its built-in RPC-over-HTTP mechanism. - Jamie |
