SYSTEM INFORMATION | |
---|---|
OS type and version | Ubuntu Linux 20.04.5 |
Virtualmin version | 7.5 |
I can’t see mail paswords in Edit User page after virtualmin / authentic theme update
SYSTEM INFORMATION | |
---|---|
OS type and version | Ubuntu Linux 20.04.5 |
Virtualmin version | 7.5 |
I can’t see mail paswords in Edit User page after virtualmin / authentic theme update
You can’t see them, you can only reset to a new password.
I don’t know after which update but I could see it before the updates.
You could see user passwords?
I could see the mail passwords.
Passwords are visible to admin users if hashed passwords are not enabled. They obviously can’t be viewed if they’re hashed.
I dont’t touched anything. I think this option dissappear after update.
That might be a bug. I’m not seeing it either, but I might have hashed passwords turned on everywhere. @Ilia has there been a change in viewing user passwords?
I can see if hashed passwords are not enabled then user passwords can be seen:
@Cypher You can check if passwords hashing is enabled at System Settings ⇾ Server Templates: Edit Server Template
page.
I don’t touched anything.
@Ilia I found it. Hashed passwords are not enabled. But interestingly, I can see the user passwords in some domains, but not in others. Is this a bug? Thanks.
Virtualmin domain config (id) file (can be found in Virtual Server Summary
page) has an option hashpass
. If you migrated this domain from a system where passwords hashing was disabled or enabled hashing password feature later, you may want to manually edit domain config file and change hashpass=0
to hashpass=1
, and only then change the password for the given virtual server on Edit Virtual Server
page, for this particular domain not to store plain text passwords.
@Jamie, is this what we really want? If a user later decides to enable password hashing in templates, there is no simple way for a virtual server to pick this up, even on password change…
Correct, this setting persists for each domain after it is created - and there’s no way currently to change it.
Wouldn’t this be a security risk having passwords in plain text?? I’ve always thought passwords where always hashed. Any issue with a customer not remember their passwords I’ve always reset and never kept a copy of that password.
It’s a tradeoff - storing them in plaintext is necessary if they need to be re-hashed in a different format, like for granting access to MySQL.
It is a security risk if passwords are shared to other services/servers…only root has access to the passwords, and if someone has root, they own the server, regardless of passwords. (There are other security implications too, but that’s the big one. I use hashed passwords, but for non-technical users, it can be challenging.)
This is can be easily solved. If hashpass
option for a domain and on a template differs (i.e. template has hashpass=1
and domain has hashpass=0
), we can add a checkbox under the password field asking if the passwords should be hashed?
I have taken a deeper look and solved this in this PR.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.