Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th April 2013, 07:29
pbrille pbrille is offline
Junior Member
 
Join Date: Sep 2009
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Default cleartext db passwords -> hashed

Hi,

when I looked manually into my ispconfig database I spotted that there are quiet a lot DB users with cleartext passwords. I simply don't want this (of course).
table:
web_database_user

thx
Reply With Quote
Sponsored Links
  #2  
Old 24th April 2013, 12:36
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

This has been changed in current ispconfig versions. Create a new db user after you updated to a current versiona and you will see that.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 26th April 2013, 14:30
pbrille pbrille is offline
Junior Member
 
Join Date: Sep 2009
Posts: 21
Thanks: 1
Thanked 0 Times in 0 Posts
Default

till

I'm talking about existing users. They have cleartext passwords stored in the DB. That's unacceptable.
There are quite a lot users in there, so recreating the user is not an option.
Which hashing algorithm has been used? With or without salt? Which encoding? If you tell me I will write a script on my own.

Thank you
Reply With Quote
  #4  
Old 26th April 2013, 15:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

The passwords of mysql users are encrypted with the mysql password() command.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 26th April 2013, 15:15
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Quote:
Originally Posted by till View Post
The passwords of mysql users are encrypted with the mysql password() command.
I can just confirm that for all my entries in that table.
Reply With Quote
  #6  
Old 26th April 2013, 15:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
 
Default

The mysql passwords in older versions were stored in cleartext. This had been changed to hashed passwords since 3.0.4.x versions of ispconfig if I reember correctly. Some mysql user editing commands required a cleartext password, so we had to keep the password in clertext. In 3.0.4 we found a way to work around the mysql commands and were able to switch to encoded passwords for new and updated mysql users.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 26th April 2013 at 15:35.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User Passwords PoleCat Feature Requests 7 17th May 2008 17:04
Record user passwords catdude Feature Requests 0 19th September 2007 16:51
Clear Passwords Agosto Feature Requests 6 22nd March 2007 01:36
Condition of MD5 passwords as of 2.2.2 Rustin Installation/Configuration 1 10th May 2006 20:28
Management -> Server Settings -> DNS -> Default MX doesn't work :-( ddelbia General 6 14th January 2006 15:26


All times are GMT +2. The time now is 00:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.