Password storage

Our passwords are stored in a LDAP database, so storing them in an additional file in the /etc/webmin/virtual-server/passhash folder is not necessary in our setup. It would be great if we can configure whether we want to store the hashed password to that file or not.

I'm aware of some needs of the hashed passwords, like allowing a user to login to the database or mailinglist with the same credentials. All these situations are not applicable in our setup. Thats why we want to get rid of these files, we simply don't need the prehased passwords. We only use LDAP for authentication.

We don't want to remove the option to store passwords in plain text. My collegue was referring to the option shown in the change password form for domain admins. (Server Configuration => Change password)

edit_pass.cgi: if ($d && $d->{'hashpass'}) { print &ui_table_row($text{'pass_hashpass'}, &ui_yesno_radio("hashpass", 1)); }

This gives domain admins the opportunity to store passwords in plaintext even if the server template says not to.

That passhash folder is still needed to store passwords in different hashing formats, like MySQL. LDAP can only store one hash type..

As i said, in some setups they are needed, in our setup not. I'm experimenting with some 'after changes server' and 'afer change user' scripts , which removes all files in the passhash folder and the *_enc_pass entries in the domains/{serverid} file. For now of course this is done only for test domains. Everything seems to keep working.

Mysql passwords are stored by the mysql server of course. In our setup Virtualmin doesn't need to know this password. The only functionality we need is to reset this password and that's possible.

FTP and mail users are stored in the LDAP database, in our setup it won't be necessary to grant them a mysql login with these credentials. So storing a prehashed mysql version of the users password is not needed.

It would be great if we can configure whether or not we want to generate this prehashed passwords, so system admins can deside which hashes are needed for their setup.

I agree that the "Change Password" page shouldn't show that option for non-root users though. I'll fix that in the 3.93 Virtualmin release.

Great! Can you provide us an patch file for this, so we can fix this before release?

Thnx for the patch!

Is your concern that storing hashed passwords presents a security risk if an attacker gains access to the file? I agree that some of them could be removed with little impact, such as the MySQL hash.

Yes. Here in the Netherlands companies are increasingly pilloried because they lack to secure their user's passwords. So I decided to look critically to this for our company... let say that we need to be pilloried as well :-)

So in the first place we want to get rid of the plaintext passwords. Thats no problem, I have created a script which reads all the plaintext passwords, adjust the hasspass value in the virtual server config and then modifies all accounts with the plaintext passwords so it's stored as a hash.

But then I thought, we do I need to set the passwords again? The password hashes are already in the LDAP database and the database passwords are stored in the mysql server. Virtualmin doesn't need those hashes. So I can safely remove the cleartext password files in the /etc/webmin/virtual-server/plainpass folder and the clearpassword entries in de virtual server config file.

I tried to figure out why virtualmin stores prehashed versions of the password. I understand why it does this, but we don't need those hashes, so in my opinion it's less secure to keep those hashes. Especially because the old, outdated and insecure crypt is one of them. I can live with a md5 hash for now, but wouldn't it be better that virtualmin gets this hash from the LDAP server if it needs it. As far as I know htpasswd accepts md5 and sha hashes too, so for the password protected directories that problem is solved.

I'm aware that there are more virtualmin modules which depends on those hashes and some of them probably don't understand the md5 or sha ones. That's why I thing it's better that a sysadmin can configure which hashes it needs to store. If you don't use modules which only understand the weak hash algorithms, you simply can disable it.

Thanks, this is really appreciated! Is there a release date scheduled for virtualmin 3.93?

Should be out in a few days.. Cool!

A thought crossed my mind... When I modify an (ldap) user, a script is triggered before and after the change. The plaintext password is available as environment variable, isn't?. This gives the sysadmin an oppurtunity to re-use this password for let's say mysql or htpasswd. This before- or after script can invoke the needed actions or function calls to set the new password where it's needed.