Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP bind password for AD showing in plain text

    webGUI
    3
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      schs
      last edited by

      Hi fellow Pfsense forums people,
      We've got our pfsense VM all set up correctly and I wanted to add our AD as an authentication source.

      I've gone through one of the guides and imported our CA and connected, but I've noticed the LDAP bind password is sitting on the GUI in plaintext… very far from ideal

      We can live with using the built in local admin account but it would be nice if we could use our AD accounts for admin on the box

      we've installed the current 2.3.2, the guide I was using on the forum here https://forum.pfsense.org/index.php?topic=44689.0 seemed to have the password obfuscated...

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        That is clearly from an older version of pfsense.

        I don't see it an issue.  Who would have access to your pfsense?  If your not using anonymous to get your dn's, this account should be some junk account that just has permission to query anyway.. I wouldn't be using a AD admin account here for example ;)

        The shared secret in radius setup is also displayed clear.

        So if you look here
        https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

        This explains why its clear, the wiki should prob be updated to include the AD bind username/password as being those ones stored in clear.  If your going to store in clear in the xml prob little reason to hide it in the gui, other than someone looking over your shoulder sort of issue.

        There is already a related issue logged in redmine
        https://redmine.pfsense.org/issues/6731

        I think the link provides the answer/reasoning to why..

        "Hashes like MD5 cannot be used where the plaintext password is needed at a later stage"
        "Any sort of hashing used would not be secure, and would be dangerous because it would give the impression of security where none exists."

        edit:  I have modified the wiki page to reflect that LDAP like Radius remote authentication is also stored clear.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          The form field was not hiding the password there (using *'s instead of the letters), that was fixed a couple weeks ago. It's always been plain in the XML but the GUI usually obscured it.

          Anyone could hit F12 or inspect the element to get it either way, but at least with the *'s someone with no access that was shoulder surfing/screen sharing couldn't see it.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Thanks for clarification jimp - did you also correct the radius form field to use * to hide from shoulder surfers?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Hmm, no, that one still is showing through. Harder for that one to be useful to anyone though as it's specific to requests coming from the firewall itself.

              I pushed a fix so it's obscured as well.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.