Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFsense config storing plaintext passowrds world readable

    General pfSense Questions
    4
    5
    481
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      girtsd last edited by

      Hello to all!

      I will cut straight to the case.
      i am using pfsense 2.4.2-RELEASE-p1 in HA solution.

      I have enabled PFsync and config synchronization as well as snort and snort config sync.

      Now what has taken my attention is that both the HA settings part and snort sync settings part are being written in /cf/conf/config.xml. This wouldnt necessarily be bad, but what makes me really worried is that the main config file is world readable. This is really terrible since both HA and snort sync setting require the remote system admin password (any user with ability to change configs is effectively admin). This leads to a world readable file containing a root account password in plain text. And since HA requires all systems to have the same password for the used admin user for the HA to work, (cant remember where exactly I read this, so it may not be true)  this means, that the whole HA cluster is compromised.

      I would like to know if I`m overreacting to this or this really has slipped by everyone and is 100% deal breaking.
      Could someone please calm me down/educate me in this regard?

      Thank you!

      Don`t assume! VERIFY!

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        @jimp:

        Also, on 2.4.x you do not need to use admin for this. Create a new user for synchronizing and give it the "System - HA node sync" privilege. Once that user synchronizes to both nodes you can then set that user/pass as the sync user on the primary under System > High Avail Sync.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          Link to thread that heper quoted
          https://forum.pfsense.org/index.php?topic=143615.0

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

          1 Reply Last reply Reply Quote 0
          • G
            girtsd last edited by

            Thanks to the both of You!

            This cleared it up!

            I`m (at least a little) relieved.

            Don`t assume! VERIFY!

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

              If you are worried about someone seeing the contents of config.xml, then they shouldn't have access to anything that can read config.xml.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post