Plesk for Linux
kb: how-to
ABT: Group A
Applicable to:
- Plesk for Linux
Question
When executing the utility plesk sbin mail_auth_view
, its output shows email accounts with hashed passwords.
Is it possible to decrypt these hashed passwords?
Answer
There is no way to decrypt the email address password in case it is hashed. As a workaround, reset the password of this email address.
Additional Information
A hashed password in the output of mail_auth_view
may appear in the following cases:
-
Domains have been migrated from a non-Plesk server.
-
Plesk has been upgraded from Plesk 10 and older releases.
-
An email address has been created/updated with the encrypted password type version (See
passwd_type
option on this Plesk documentation page).
Comments
8 comments
How can I make sure that the passwords are hashed (and cannot be decrypted)? I cannot see that this is the case for a Plesk Onxy 17.5 installation that was update from Plesk 11.5 to 12 to 12.5 to 17.
@b_p Most probably Enhanced Security Mode is not enabled ( https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/enhanced-security-mode.71227/ ) Such feature available starting from Plesk 12.0 and should be activated manually in case of upgrade from previous versions.
Hi @Nikolay, I already enabled this feature when we were using Plesk 12.0 (we moved from there to 12.5 and Onxy 17.5).
However, mail_auth_view still provides the plain text passwords. Manually disabling the enhanced security mode (https://support.plesk.com/hc/en-us/articles/213932485-How-to-disable-Enhanced-Security-Mode-in-Plesk-11-as-this-mode-conflicts-with-custom-api-) and re-enabling it using the web interfaces does not change the situation.
@b_p
All mail passwords are hashed in Plesk database.
To verify it you can execute the following sql query:
mysql> select m.mail_name,a.password from mail m left join accounts a on m.account_id=a.id;
mail_auth_view shows passwords in plain text, however, it is an administrative tool which is available for root user only.
Hi Bato,
I know that the passwords are hashed in the database. However, you do not use one-way hashes but encrypt them symmertrically with a key so that the root user can decrypt them, e.g., by using mail_auth_view.
However, this is not state-of-the-art any more (see for example https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet and https://talk.plesk.com/threads/encrypt-email-passwords-even-for-root.343090/). In case the root account gets compromised, the attacker can access all passwords (that people uncautiously might have used for other accounts as well). This is was has happened to many companies (including Yahoo etc.) in the past. A security-aware administrator would like to prevent this from happening.
Thus, it would be Plesk's task to implement this (ASAP and not based on your feature request system!) if this is not yet the case.
According to post #5 of thread https://talk.plesk.com/threads/force-password-encryption-for-mail-users.332212/ one-ways hashes are used for some Plesk installations already. Is that true? If yes, how can I enable this manually?
Hello,
Almost all password types are already encrypted using one-way encryption (such as psa.clients, psa.smb users and so on).
However the questions is:
Which Plesk functions won’t work if all passwords provided by a user become one-way hashed?
And a lot of functionality becomes unavailable in this case, for example:
Moreover, Plesk needs to store two-way encrypted passwords for external systems (e.g. database servers, including mysql server with `psa` database).
So, It is not possible to use one-way encryption everywhere. However, as you already said, only root user has access to private key. And we recommend you to secure root access to the server as much as it could be. For example, forbid root to login through ssh and use sudo instead, forbid authentication using password etc.
Well, at least for mail passwords this should be fixed because we have to assume that users use the same password for accounts and mail addresses (and since only here a direct link to an e-mail address is given...).
Can you elaborate on the digest-md5 issue for Linux servers?
@b_p
All authentication mechanisms based on shared secret will not work in case of 1-way hashing, because it is needed to know plain text password to generate shared secret. Other methods to implement shared secret mechanisms are less secure.
That is why we are not using one-way hashing for mail.
If you want to read more regarding this point, you can see the following article on Wikipedia:
https://en.wikipedia.org/wiki/CRAM-MD5
Please sign in to leave a comment.