Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sync password viewable in HTML code…

    Scheduled Pinned Locked Moved webGUI
    8 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tmack
      last edited by

      I noticed today that the "Remote System Password" textbox in "System: High Availability Sync" gets populated with your password on page load. This should NEVER happen. Is there a way to prevent this? This is a rookie mistake in my opinion…

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        Keep in mind that you need admin privileges to see this page.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • T
          tmack
          last edited by

          Yes, that is fine. What if I am in an office and leave my computer unlocked for a few minutes and someone views the source and grabs the admin password? The admin password should never be displayed under no circumstances, and in fact, it should be encrypted!

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @tmack:

            Yes, that is fine. What if I am in an office and leave my computer unlocked for a few minutes and someone views the source and grabs the admin password?

            Or they'll just go and download the config.xml backup. Not sure what you are suggesting here. When you leave people with root access, then you are royally fucked.

            https://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              What if I am in an office and leave my computer unlocked for a few minutes and someone views the source…

              This is the point where you file it under noob mistake.

              1 Reply Last reply Reply Quote 0
              • T
                tmack
                last edited by

                Thanks for the article. I still don't know why it needs to be outputted the way it is. As far as a n00b mistake, I've worked in IT for many years and I'm very used to locking my workstation. Others are lazy… And we've all made that mistake.

                Thanks for the replies, I'll live with it..

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  If you really want to remove it, it's a simple one line: https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/www/system_hasync.php#L185

                  But, as noted above, leaving your browser logged on as admin is totally NOT secure.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tmack
                    last edited by

                    Thanks. I'm going to remove it. I understand all that. I am just a bit confused as to why the password isn't just left blank. At least it's an easy fix :)

                    Thanks again.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.