Is it possible to decrypt hashed passwords in output of mail_auth_view utility?

Follow

Comments

8 comments

  • Avatar
    b_p

    How can I make sure that the passwords are hashed (and cannot be decrypted)? I cannot see that this is the case for a Plesk Onxy 17.5 installation that was update from Plesk 11.5 to 12 to 12.5 to 17.

  • Avatar
    Nikolay Zhmuk

    @b_p Most probably Enhanced Security Mode is not enabled ( https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/enhanced-security-mode.71227/ ) Such feature available starting from Plesk 12.0 and should be activated manually in case of upgrade from previous versions.

  • Avatar
    b_p (Edited )

    Hi @Nikolay, I already enabled this feature when we were using Plesk 12.0 (we moved from there to 12.5 and Onxy 17.5).

    However, mail_auth_view still provides the plain text passwords. Manually disabling the enhanced security mode (https://support.plesk.com/hc/en-us/articles/213932485-How-to-disable-Enhanced-Security-Mode-in-Plesk-11-as-this-mode-conflicts-with-custom-api-) and re-enabling it using the web interfaces does not change the situation.

  • Avatar
    Bato Tsydenov

    @b_p

    All mail passwords are hashed in Plesk database.
    To verify it you can execute the following sql query:

    mysql> select m.mail_name,a.password from mail m left join accounts a on m.account_id=a.id;

     mail_auth_view shows passwords in plain text, however, it is an administrative tool which is available for root user only.

  • Avatar
    b_p

    Hi Bato,

    I know that the passwords are hashed in the database. However, you do not use one-way hashes but encrypt them symmertrically with a key so that the root user can decrypt them, e.g., by using mail_auth_view.

    However, this is not state-of-the-art any more (see for example https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet and https://talk.plesk.com/threads/encrypt-email-passwords-even-for-root.343090/). In case the root account gets compromised, the attacker can access all passwords (that people uncautiously might have used for other accounts as well). This is was has happened to many companies (including Yahoo etc.) in the past. A security-aware administrator would like to prevent this from happening.
    Thus, it would be Plesk's task to implement this (ASAP and not based on your feature request system!) if this is not yet the case.

    According to post #5 of thread https://talk.plesk.com/threads/force-password-encryption-for-mail-users.332212/ one-ways hashes are used for some Plesk installations already. Is that true? If yes, how can I enable this manually?

  • Avatar
    Konstantin Annikov

    Hello, 

    Almost all password types are already encrypted using one-way encryption (such as psa.clients, psa.smb users and so on). 

    However the questions is: 
    Which Plesk functions won’t work if all passwords provided by a user become one-way hashed?

    And a lot of functionality becomes unavailable in this case, for example: 

     

    • phpMyAdmin/phpPgAdmin/MyLittleAdmin auto-login integration
    • digest-md5 authentication method for mail users on Linux
    • Ability to get git repository Webhook URL later after generating.
    • PostgreSQL
    • SmarterMail
    • etc. 

     

    Moreover, Plesk needs to store two-way encrypted passwords for external systems (e.g. database servers, including mysql server with `psa` database).

    So, It is not possible to use one-way encryption everywhere. However, as you already said, only root user has access to private key. And we recommend you to secure root access to the server as much as it could be. For example, forbid root to login through ssh and use sudo instead, forbid authentication using password etc. 

  • Avatar
    b_p

    Well, at least for mail passwords this should be fixed because we have to assume that users use the same password for accounts and mail addresses (and since only here a direct link to an e-mail address is given...).

    Can you elaborate on the digest-md5 issue for Linux servers?

  • Avatar
    Konstantin Annikov

    @b_p

    All authentication mechanisms based on shared secret will not work in case of 1-way hashing, because it is needed to know plain text password to generate shared secret. Other methods to implement shared secret mechanisms are less secure. 

    That is why we are not using one-way hashing for mail.

    If you want to read more regarding this point, you can see the following article on Wikipedia: 

    https://en.wikipedia.org/wiki/CRAM-MD5

     

Please sign in to leave a comment.

Have more questions? Submit a request