I am really surprised at this behavior. In Virtualmin, I can see the password for any SSH user by clicking the "(Show..)" link next to the "Password ( ) Leave unchanged" option in a variety of locations. I have found that the passwords for all users including users with SSH access are stored in cleartext files in /etc/webmin/... This seems like an unnecessary risk! How can I prevent Virtualmin from storing passwords in this manner?
Asked
Active
Viewed 1,371 times
5
-
Is this just not possible? I am shocked. – Josh Mar 19 '10 at 12:35
-
2never underestimate the stupidity of programmers – The Unix Janitor Mar 20 '10 at 15:03
-
This question appears to be off-topic because it is about [`working with a service provider's management interface, such as cPanel`](http://serverfault.com/help/on-topic). – HopelessN00b Jan 14 '15 at 01:36
1 Answers
4
The last release of Virtualmin (3.88.gpl) has the feature "Hashed password storage"
So it's now possible:
Hashed password storage
Storage of plaintext passwords for virtual servers and mailboxes can now be disabled on a per-template basis. Virtualmin will instead store only hashed passwords in multiple formats, which prevents passwords from being compromised if the system is hacked. This feature should ideally be enabled before any virtual servers have been created.
Dvir Berebi
- 465
- 4
- 8
-
1this is an option when you install/setup, but by enabling it you loose the ability to view the servers password. i like this as my passwords are randomly generated and not used anywhere else, therefore no loss if compromised. – Hayden Thring Jan 17 '13 at 10:39