I can't see mail paswords in Edit User page after virtualmin / authentic theme update

SYSTEM INFORMATION
OS type and version Ubuntu Linux 20.04.5
Virtualmin version 7.5

I can’t see mail paswords in Edit User page after virtualmin / authentic theme update

You can’t see them, you can only reset to a new password.

I don’t know after which update but I could see it before the updates.

You could see user passwords?

I could see the mail passwords.

Passwords are visible to admin users if hashed passwords are not enabled. They obviously can’t be viewed if they’re hashed.

2 Likes

I dont’t touched anything. I think this option dissappear after update.

That might be a bug. I’m not seeing it either, but I might have hashed passwords turned on everywhere. @Ilia has there been a change in viewing user passwords?

1 Like

I can see if hashed passwords are not enabled then user passwords can be seen:

@Cypher You can check if passwords hashing is enabled at System Settings ⇾ Server Templates: Edit Server Template page.

1 Like

I don’t touched anything.


my setting is here.
How and where do I change the settings to see the passwords again?
Thanks.

@Ilia I found it. Hashed passwords are not enabled. But interestingly, I can see the user passwords in some domains, but not in others. Is this a bug? Thanks.

Virtualmin domain config (id) file (can be found in Virtual Server Summary page) has an option hashpass. If you migrated this domain from a system where passwords hashing was disabled or enabled hashing password feature later, you may want to manually edit domain config file and change hashpass=0 to hashpass=1, and only then change the password for the given virtual server on Edit Virtual Server page, for this particular domain not to store plain text passwords.

@Jamie, is this what we really want? If a user later decides to enable password hashing in templates, there is no simple way for a virtual server to pick this up, even on password change…

2 Likes

Correct, this setting persists for each domain after it is created - and there’s no way currently to change it.

1 Like

Wouldn’t this be a security risk having passwords in plain text?? I’ve always thought passwords where always hashed. Any issue with a customer not remember their passwords I’ve always reset and never kept a copy of that password.

1 Like

It’s a tradeoff - storing them in plaintext is necessary if they need to be re-hashed in a different format, like for granting access to MySQL.

1 Like

It is a security risk if passwords are shared to other services/servers…only root has access to the passwords, and if someone has root, they own the server, regardless of passwords. (There are other security implications too, but that’s the big one. I use hashed passwords, but for non-technical users, it can be challenging.)

2 Likes

This is can be easily solved. If hashpass option for a domain and on a template differs (i.e. template has hashpass=1 and domain has hashpass=0), we can add a checkbox under the password field asking if the passwords should be hashed?

1 Like

I have taken a deeper look and solved this in this PR.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.