Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Feature Requests

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd February 2007, 09:19
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default it would be nice to see the pwd of a user

i added a user and gave him a pwd. 5 days later he asked me, if i can give him the pwd again - he loosed it. but i can't, because i can't see the pwd inside ispconfig. it would be nice to see it.
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
Sponsored Links
  #2  
Old 22nd February 2007, 09:35
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,036
Thanks: 268
Thanked 152 Times in 132 Posts
Default

Why not create a new password for him?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #3  
Old 22nd February 2007, 09:42
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

I would create a new one, as edge said,
or note it to a file, and encrypt that, e.g. truecrypt
Reply With Quote
  #4  
Old 22nd February 2007, 09:44
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Security policies should enforce no one can ever view a password. That's good. What may be a nice RFE, is an automated password recovery feature, but that requires the user also to have a mail address. Which is currently not required in ISPConfig.

Maybe that's another RFE: require a valid email address for every user. It's so simple with gmail or hotmail to have a free account.....
Reply With Quote
  #5  
Old 22nd February 2007, 09:48
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by edge
Why not create a new password for him?
this is not a problem, if there is only ONE user and only ONE Place, the pwd is needed.
But think about this:
There are TWO users who use the SAME FTP-Account to upload files (we need this, because there is only ONE admin-account with the right to upload files to the root). or think about there is ONE catchall-email-acount, the server of a company handles. if you now change the pwd you have to change the server-settings and to tell all the persons that you changed the pwd.

or think about that there are 5 pcs connecting the same IMAP-account (for example the mail is service@muv.com and we have 5 people doing the service here). if i change the pwd i have to change all the email-clients (some are at the office, some are at home).

i think, now it is clear, why i CAN'T change the pwd ;-)
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #6  
Old 22nd February 2007, 09:50
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by Ben
I would create a new one, as edge said,
or note it to a file, and encrypt that, e.g. truecrypt
you can do this, if YOU change the pwd, but what about changings done by your customer or what about if you FORGET to change the pwd in your file (we are all humans ;-)
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #7  
Old 22nd February 2007, 09:53
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by martinfst
Security policies should enforce no one can ever view a password. That's good.
isn't this only "pseudo security"?.

If you can change the pwd you can upload (or download) files to/from the server, you can read the mails, access the mysql database and so on - so what is the "extra" security if you can't see the pwd but change it?
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #8  
Old 22nd February 2007, 10:14
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Quote:
Originally Posted by vogelor
There are TWO users who use the SAME FTP-Account to upload files
IMHO this is bad security practice. Every user should have his/her own uid/password. There is no justification to share passwords between users. If that's now enforced by technical limitations, we should work to fix the technical issues, not weakening security.

Last edited by martinfst; 22nd February 2007 at 10:15. Reason: typo's
Reply With Quote
  #9  
Old 22nd February 2007, 11:11
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by martinfst
IMHO this is bad security practice. Every user should have his/her own uid/password. There is no justification to share passwords between users. If that's now enforced by technical limitations, we should work to fix the technical issues, not weakening security.
if you think about USERS then you may be right. but if you "forget" the users and only think about the thinks you want to do, this is not a problem i thing.

for example if you create a user ONLY to have a email account - what is the security problem. one user can read the email of the other, but this is what i want - i want 5 users to see the same email (like a call-center - the person who "has time" reads the emails and reacts on it)

and what is the security risk if two users can upload/downlaod files with the SAME user-account. i don't see one.

in a "normal pc" you are right. here at our office every user has his own account / pwd - shure. but at a internet-server IMHO you don't need users - you need a ftp account, you need a email-account and you need a database with a pwd but WHY users? schlund, 1und1, strato - non of them have users.
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #10  
Old 22nd February 2007, 11:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,405
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
 
Default

Quote:
what is the "extra" security if you can't see the pwd but change it?
Additionally to martins comment: Many users are using the same password for different things. Thats why passwords shall be always stored as hashes so even the admin cant see or uncrypt them.

Or think about what happens if your server gets hacked and the hacker gets all the clear text passwords.

Its a big difference security wise if a password is stored as clear text or hash that can not be uncrypted!

(Remark: I know that its possible to break simple passwords with wordbook attacks or too short passworts with brute force.)
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Anything I can do against illegal login-requests? schmidtedv Installation/Configuration 17 7th November 2008 09:25
Anon-FTP not creating user danie.robberts General 29 24th April 2007 18:35
webalizer stats not accessible only for one user gilas Installation/Configuration 4 21st July 2006 13:08
Mail Login, simple user names??? Kernal Panic Installation/Configuration 1 16th June 2006 02:45


All times are GMT +2. The time now is 02:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.