On 3/29/06, LJ Rand <[EMAIL PROTECTED]> wrote: > > I have updated to RELENG_1_SNAPSHOT_03. > > I am concerned about having plain text passwords in > the config.xml file, especially the one used by pfsync > to get to the webgui interface of the second pfsense > box. What extra precautions can be taken to avoid > this, or to at least mitigate the risk?
Don't store the config file on removable media. Only give out the administration password (uhhh...the same one as is stored in the config file!) out to authorized administrators Don't allow physical access to the firewall by non-authorized people Don't email config.xml files w/out encrypting them first Don't store config.xml files on any machine other than the firewall without encrypting them first Don't transfer the config.xml file as a backup from the firewall without using SSL (although...this is more important - don't administer the firewall w/out using SSL as HTTP BASIC auth transmits your credentials in the clear as would any other means of authorization we used) In short...you know it's there, don't be stupid. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
