• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

LDAP bind password for AD showing in plain text

Scheduled Pinned Locked Moved webGUI
5 Posts 3 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    schs
    last edited by Sep 23, 2016, 4:22 AM

    Hi fellow Pfsense forums people,
    We've got our pfsense VM all set up correctly and I wanted to add our AD as an authentication source.

    I've gone through one of the guides and imported our CA and connected, but I've noticed the LDAP bind password is sitting on the GUI in plaintext… very far from ideal

    We can live with using the built in local admin account but it would be nice if we could use our AD accounts for admin on the box

    we've installed the current 2.3.2, the guide I was using on the forum here https://forum.pfsense.org/index.php?topic=44689.0 seemed to have the password obfuscated...

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 23, 2016, 12:34 PM Sep 23, 2016, 12:27 PM

      That is clearly from an older version of pfsense.

      I don't see it an issue.  Who would have access to your pfsense?  If your not using anonymous to get your dn's, this account should be some junk account that just has permission to query anyway.. I wouldn't be using a AD admin account here for example ;)

      The shared secret in radius setup is also displayed clear.

      So if you look here
      https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

      This explains why its clear, the wiki should prob be updated to include the AD bind username/password as being those ones stored in clear.  If your going to store in clear in the xml prob little reason to hide it in the gui, other than someone looking over your shoulder sort of issue.

      There is already a related issue logged in redmine
      https://redmine.pfsense.org/issues/6731

      I think the link provides the answer/reasoning to why..

      "Hashes like MD5 cannot be used where the plaintext password is needed at a later stage"
      "Any sort of hashing used would not be secure, and would be dangerous because it would give the impression of security where none exists."

      edit:  I have modified the wiki page to reflect that LDAP like Radius remote authentication is also stored clear.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Sep 26, 2016, 5:50 PM

        The form field was not hiding the password there (using *'s instead of the letters), that was fixed a couple weeks ago. It's always been plain in the XML but the GUI usually obscured it.

        Anyone could hit F12 or inspect the element to get it either way, but at least with the *'s someone with no access that was shoulder surfing/screen sharing couldn't see it.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Sep 26, 2016, 6:06 PM

          Thanks for clarification jimp - did you also correct the radius form field to use * to hide from shoulder surfers?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Sep 26, 2016, 6:15 PM

            Hmm, no, that one still is showing through. Harder for that one to be useful to anyone though as it's specific to requests coming from the firewall itself.

            I pushed a fix so it's obscured as well.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received