The reason why these are not hashed (and lightly salted) is that some of our
clients use the internal mysql database to do radius authentication.
Doing that requires the passwords to be cleartext or at best in NT and LM
hashed form.
I guess a future release might have an option to specifiy which hashing
function to apply (or not) to the passwords.
We'd have to carefully look at the cost of doing that in terms of effort and
maintenance.
Ideas and comments are welcome.
Keep 'em coming.
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2013-08-22, at 16:06 , Jason Frisvold <[email protected]> wrote:
> Olive Stephen wrote:
>> Hi list,
>>
>> Here is my problem ... I see all password in clear text on my server.
>
> First, kudos for thinking about security. I like that.
>
>> In PF configuration : /usr/local/pf/conf/pf.conf
>> We can find the password of the MySQL database (ie pass=p@ck3tf3nc3).
>
> Yup. I'm not sure there's really a better way to do this. The password
> to connect to the database has to exist somewhere.
>
> Look at it this way... If an attacker has access to your packetfence
> server, you've already lost. Given that access, even without the
> database password, they can inject whatever they need to put a machine
> into any network that your packetfence server controls.
>
>> Now i can see all the tables used in PF. And i can see all user
>> passwords in table 'temporary_password'.
>
> I'm not that familiar with what this DB field is for as we use ldap for
> authentication. BUT, I agree. This should be encrypted. bcrypt()
> would be desirable. Perhaps you can open a bug on this and they'll add
> it as a feature.
>
>> Next i try to change the admin password in the DB and it works !
>
> This would always be the case, even if the passwords were hashed.
> You're changing what the server checks against.
>
>> This is a security issue ? How to remedy this problem and replace
>> passwords by hashes ?
>
> Open a bug on it and the devs will take a look.
>
>> Regards
>> Olive
>>
>> PS:Sorry for my bad english...
>
> Not that bad.. well done. :)
>
>
> --
> ---------------------------
> Jason 'XenoPhage' Frisvold
> [email protected]
> ---------------------------
>
> "Any sufficiently advanced magic is indistinguishable from technology.\"
> - Niven's Inverse of Clarke's Third Law
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
