Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP / HASYNC : password in cleartext in .xml

    HA/CARP/VIPs
    2
    3
    421
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      f.meunier
      last edited by

      Hello All,
      Is it normal to have the password for HASYNC written in cleartext in the .xml backup file (<hasync> section) ?
      I know that I can encrypt the whole, but I expected at least a hash of the password.

      (mostly ZOTAC CI or CA nano barebones)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The primary node has to log into the secondary for XMLRPC sync so it needs to know the cleartext.

        You can create a user specifically for XMLRPC sync by making a user with only the System - HA node sync privilege if you want to compartmentalize that password's scope.

        This doesn't specifically mention the HA XMLRPC sync function but the same information applies there.

        https://www.netgate.com/docs/pfsense/backup/password-storage-security-policies.html

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • F
          f.meunier
          last edited by

          Great answer. That is what I was looking for : a limited privilege account.
          I will try this soon.

          Best Regards (and Merry Xmas to all)

          (mostly ZOTAC CI or CA nano barebones)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.