Changing from a clear text password template to a hashed password template

Hi,

I've been asked to change an existing server to use hashed passwords.

However, after I've switched server templates, and updated the admin password, which I understood would effect the change to hashed password storage, the password is still recoverable in the virtualmin UI.

How can I make this change to an existing server?

I'm not sure if this is a bug or configuration issue, or if I'm changing this password in the wrong place (I've changed it under "edit virtual server").

Cheers,

PhilK

Status: 
Active

Comments

Howdy -- after changing the Server Templates to use hashed passwords, and then changing the Virtual Server owner's password -- when you go into Edit Virtual Server -> Configurable Settings, and click "Show Password", does it show the new password there, or is that the old one?

Hi Andreychek,

Thanks for the quick response!

I've just re-tested to be sure, and can confirm that I'm seeing the new password in the "show password" pop-up.

In case it helps, my process was: -

  • Checked vserver password.

  • Cloned default settings template.

  • In the new template

    • Set "Store clear text passwords?" to "No, only store hashed passwords"
    • Noted that "Hashed password types to store" is set to "All types"
  • In the vserver under configurable settings,

    • selected new server configuration template
    • updated administration password
  • Checked vserver password, hoping not to be able to, but could.

Does that sound right?

Cheers,

PhilK

Unfortunately the template only effects the settings for new domains. To force use of a hashed password for an existing domain, you need to change it to something different temporarily, and then change it back again.

Hi Jamie,

That's actually what I did! :-)

In my reply to Andreychek (#2) I listed the steps I'd taken, but neglected to say that after I'd created the new template, updated the existing vserver to use it and then updated the vserver admin password, when I realised that it was still visible in plain text I changed it back to the original value. So, it has indeed been changed and then changed back.

As a sanity check, I've also created a new vserver with that hashed passwords template, and that behaves as expected.

I've a nasty feeling that I'm overlooking something simple here, but just can't figure out what. I'm pretty conservative about my Virtualmin setup, so I don't /think/ I'm likely to have done anything silly...

Cheers,

PhilK

Could the issue be that I'm changing the template on an existing server to one with hashed passwords, rather than changing the existing template for that server to use hashed passwords?

If the db passwords only diverge from the admin passwords at the point that the admin password is changed and becomes hashed, I guess I can safely change the existing plan to use hashed passwords?

Sorry, I just realized that changing the password doesn't actually fix this :-(

There is a feature in Virtualmin to allow switching to hashed passwords, but due to a bug it isn't available to the root user! However, there is a manual work-around :

  1. Find the domain's file under the /etc/webmin/virtual-server/domains directory. It will be the file in which the dom= line contains the domain name.
  2. Add the line hashpass=1 to the end of this file.
  3. Change the domain's password to something else, then change it back again.