Bug report: Backups SSH key displaying password

SYSTEM INFORMATION
OS type and version: Ubuntu 20.04
Webmin version: 1.981
Virtualmin version: 6.17

When saving a scheduled backup, the password seems stored as SSH Key, and backups fail.

Re-editing the scheduled backup, moving the password back to password field, re-saving, doesn’t help: When re-editing, the password shows again in the SSH key as cleartext.

Actually, that happens only after having clicked on the “Backup” button at the right of the list of scheduled backups to manually execute a scheduled backup.

@beat sorry you what ??? SSH key is random calculated hash…you won’t be even able to see password even with hobble telescope… are you okay?

Sorry for shortening. “SSH Key” is actually the file path field, exact field name is “Or SSH key file” under " Backup destinations" when “SSH Server” is selected, in the “Destination and format” accordion of an entry in “scheduled backups”.

That field “Or SSH key file” was initially empty, I was using SSH passwords.

After editing and saving the scheduled backup, then running it using the “Backup” action button as a single backup in background, going back to editing the “Scheduled backup”, the password that was under “Login with password” field was now visible in the “Or SSH key file” field, with the “Login with password” field empty.

And even after putting the password back to “Login with password” field and emptying “Or SSH key file” field, and saving, when editing again, the “Login with password” field was again empty and the “Or SSH key file” field contained again the password.

I now switched to SSH certificates, and left password field empty, and it works again, but no way to use SSH passwords anymore on those backups (not a big issue for me as certificates are better anyway, but wanted to report the bug to the Virtualmin team here).

hi @beat

well good rule is to disable pam auth and let use ssh keys as default auth - there is nothing like destination and format affecting by ssh keys - ssh key is acting like your user name and password - rest is how did you set up…

did you disabled pam auth? for programs or bash scripts it should be disabled - as ssh is automatic

  • do you know what you doing?

well congratulations - you now using automation and ssh keys - enjoy.

certs are safest way - if you need or want to use password you would have to do it manually as you will need to enter password each time you do backup or operations like file transfer which is encrypted - so if you did not realized yet how certs works - it would be pointless to explain = there is tons of docs on google. Have a fun to do research.

with ssh key you not need pass or username to be more secured then usa military - that is the point of ssh…

Thank you @unborn. Yes, I know exactly what I am doing, I have a background also in IT security and cryptography. I was using SSH passwords before (and restricted completely the SSH access to the backup server, which is behind 2 firewalls each with a different OS and code-base) because that was how Virtualmin settings for backups were until last 2 releases. Now, I also could also disable the password logins to the SSH backup server, yes, it’s more secure!

Here, I am reporting a bug of Virtualmin to the Virtualmin team in the new configuration UI that now allows to specify a path for the ssh key file and gets populated with the SSH password under the circumstances described above.

Thanks in advance for keeping this thread focussed on the UI bug described, that I summarize again for Virtualmin team:

Virtualmin is mixing up field contents of Password and SSH key file path in scheduled backups after performing a single “Backup now” action using the scheduled backup definition from a previous version of Virtualmin.