LDAP bind password for AD showing in plain text

schs

Hi fellow Pfsense forums people,
We've got our pfsense VM all set up correctly and I wanted to add our AD as an authentication source.

I've gone through one of the guides and imported our CA and connected, but I've noticed the LDAP bind password is sitting on the GUI in plaintext… very far from ideal

We can live with using the built in local admin account but it would be nice if we could use our AD accounts for admin on the box

we've installed the current 2.3.2, the guide I was using on the forum here https://forum.pfsense.org/index.php?topic=44689.0 seemed to have the password obfuscated...

johnpoz

That is clearly from an older version of pfsense.

I don't see it an issue.  Who would have access to your pfsense?  If your not using anonymous to get your dn's, this account should be some junk account that just has permission to query anyway.. I wouldn't be using a AD admin account here for example ;)

The shared secret in radius setup is also displayed clear.

So if you look here
https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

This explains why its clear, the wiki should prob be updated to include the AD bind username/password as being those ones stored in clear.  If your going to store in clear in the xml prob little reason to hide it in the gui, other than someone looking over your shoulder sort of issue.

There is already a related issue logged in redmine
https://redmine.pfsense.org/issues/6731

I think the link provides the answer/reasoning to why..

"Hashes like MD5 cannot be used where the plaintext password is needed at a later stage"
"Any sort of hashing used would not be secure, and would be dangerous because it would give the impression of security where none exists."

edit:  I have modified the wiki page to reflect that LDAP like Radius remote authentication is also stored clear.

jimp

The form field was not hiding the password there (using *'s instead of the letters), that was fixed a couple weeks ago. It's always been plain in the XML but the GUI usually obscured it.

Anyone could hit F12 or inspect the element to get it either way, but at least with the *'s someone with no access that was shoulder surfing/screen sharing couldn't see it.

johnpoz

Thanks for clarification jimp - did you also correct the radius form field to use * to hide from shoulder surfers?

jimp

Hmm, no, that one still is showing through. Harder for that one to be useful to anyone though as it's specific to requests coming from the firewall itself.

I pushed a fix so it's obscured as well.