"System: High Availability Sync" Configuration store clear password is not safe
-
不好意思我的英文比较差,将就看一下改进一下这个安全问题。
1、 https://xx.xx.xx.xx/system_hasync.php
"System: High Availability Sync"
-> "Configuration Synchronization Settings (XMLRPC Sync)"
-> Remote System Password: *******
In this page other administrators user can see admin's clear password.2、Diagnostics: Backup/restore
from downloaded Configuration file also can be find the admin's clear password.that's not safe, how can use alone sync sec key instead of admin user and it's clear password?
-
I cant in my file. Its encrypted.
-
My pfsense version is 2.2.2-RELEASE (amd64).
if you have set HA, you can see the clear password in 2 place:1、 IN [system]->[High Avail. Sync]: /system_hasync.php page source code:
<input id="username" name="username" class="formfld unknown" value="admin"><input id="passwordfld" type="password" ="" name="passwordfld" class="formfld pwd" value="clear password">2、 IN [Diagnostics]->[Backup/restore]: when backup without "Encrypt this configuration file"
<hasync><synchronizeusers>on</synchronizeusers>
<synchronizeauthservers>on</synchronizeauthservers>
<synchronizecerts>on</synchronizecerts>
<synchronizerules>on</synchronizerules>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizenat>on</synchronizenat>
<synchronizeipsec>on</synchronizeipsec>
<synchronizeopenvpn>on</synchronizeopenvpn>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizewol>on</synchronizewol>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizelb>on</synchronizelb>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizetrafficshaper>on</synchronizetrafficshaper>
<synchronizetrafficshaperlimiter>on</synchronizetrafficshaperlimiter>
<synchronizetrafficshaperlayer7>on</synchronizetrafficshaperlayer7>
<synchronizednsforwarder>on</synchronizednsforwarder>
<synchronizecaptiveportal>on</synchronizecaptiveportal>
<pfsyncpeerip><pfsyncinterface>wan</pfsyncinterface>
<synchronizetoip>172.28.1.2</synchronizetoip>
<username>admin</username>
<password>clear password</password></pfsyncpeerip></hasync></input ></input > -
https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml