Olive Stephen wrote: > Hi list, > > Here is my problem ... I see all password in clear text on my server.
First, kudos for thinking about security. I like that. > In PF configuration : /usr/local/pf/conf/pf.conf > We can find the password of the MySQL database (ie pass=p@ck3tf3nc3). Yup. I'm not sure there's really a better way to do this. The password to connect to the database has to exist somewhere. Look at it this way... If an attacker has access to your packetfence server, you've already lost. Given that access, even without the database password, they can inject whatever they need to put a machine into any network that your packetfence server controls. > Now i can see all the tables used in PF. And i can see all user > passwords in table 'temporary_password'. I'm not that familiar with what this DB field is for as we use ldap for authentication. BUT, I agree. This should be encrypted. bcrypt() would be desirable. Perhaps you can open a bug on this and they'll add it as a feature. > Next i try to change the admin password in the DB and it works ! This would always be the case, even if the passwords were hashed. You're changing what the server checks against. > This is a security issue ? How to remedy this problem and replace > passwords by hashes ? Open a bug on it and the devs will take a look. > Regards > Olive > > PS:Sorry for my bad english... Not that bad.. well done. :) -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
