Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "System: High Availability Sync" Configuration store clear password is not safe

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 891 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiki345
      last edited by

      不好意思我的英文比较差,将就看一下改进一下这个安全问题。

      1、 https://xx.xx.xx.xx/system_hasync.php
      "System: High Availability Sync"
          -> "Configuration Synchronization Settings (XMLRPC Sync)"
                -> Remote System Password: *******
      In this page other administrators user can see admin's clear password.

      2、Diagnostics: Backup/restore
      from downloaded Configuration file also can be find the admin's clear password.

      that's not safe, how can use alone sync sec key instead of admin user and it's clear password?

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        I cant in my file. Its encrypted.

        1 Reply Last reply Reply Quote 0
        • W
          wiki345
          last edited by

          My pfsense version is 2.2.2-RELEASE (amd64).
          if you have set HA, you can see the clear password in 2 place:

          1、 IN [system]->[High Avail. Sync]: /system_hasync.php page source code:
          <input  id="username" name="username" class="formfld unknown" value="admin"><input  id="passwordfld" type="password"  ="" name="passwordfld" class="formfld pwd" value="clear password">2、 IN [Diagnostics]->[Backup/restore]: when backup without "Encrypt this configuration file"
          <hasync><synchronizeusers>on</synchronizeusers>
          <synchronizeauthservers>on</synchronizeauthservers>
          <synchronizecerts>on</synchronizecerts>
          <synchronizerules>on</synchronizerules>
          <synchronizeschedules>on</synchronizeschedules>
          <synchronizealiases>on</synchronizealiases>
          <synchronizenat>on</synchronizenat>
          <synchronizeipsec>on</synchronizeipsec>
          <synchronizeopenvpn>on</synchronizeopenvpn>
          <synchronizedhcpd>on</synchronizedhcpd>
          <synchronizewol>on</synchronizewol>
          <synchronizestaticroutes>on</synchronizestaticroutes>
          <synchronizelb>on</synchronizelb>
          <synchronizevirtualip>on</synchronizevirtualip>
          <synchronizetrafficshaper>on</synchronizetrafficshaper>
          <synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter>
          <synchronizetrafficshaperlayer7>on</synchronizetrafficshaperlayer7>
          <synchronizednsforwarder>on</synchronizednsforwarder>
          <synchronizecaptiveportal>on</synchronizecaptiveportal>
          <pfsyncpeerip><pfsyncinterface>wan</pfsyncinterface>
          <synchronizetoip>172.28.1.2</synchronizetoip>
          <username>admin</username>
          <password>clear password</password></pfsyncpeerip></hasync></input ></input >

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.