Resolved mail_auth_view truncates output

[burnley]

I suspect this is a bug - but it looks like mail_auth_view is now limited to 34 characters for the domain name or password. If either field is longer its chopped off with ...

tested on Plesk 18.0.72 Update 1

 

[Sebahat.hadzhi]

Thank you for the report, @burnley . I was able to replicate the behavior on a test server with Plesk 18.0.72 Update 1. I will further discuss the case with our team and follow-up with more details.

 

[AYamshanov]

Hi @burnley,

It seems it was an intentional change. Could you please provide more details about the use case? Did you just notice this, or did it break any integrations?

 

[Sebahat.hadzhi]

@burnley , as mentioned by @AYamshanov , this was indeed intentionally done to address a formatting issue with the column width. Our team now registered a new task (PPPM-15106) to make truncation optional. At this point, we cannot provide a workaround or an ETA on when the change will be introduced. You can monitor the change log here.

 

[trialotto]

Hi @burnley,

It seems it was an intentional change. Could you please provide more details about the use case? Did you just notice this, or did it break any integrations?

@AYamshanov and @Sebahat.hadzhi

The intentional change is quite understandable - there is no reason to show the entire hash of a password, which hash is one of the things truncated.


However, it comes to mind that ..... if this change was intentional ....... why is the prefix $2y$12$ visible?

The whole purpose of hashing is increased security and even if all passwords are hashed, a hacker would think "given the prefix, it can be hacked!"

As a bit of food for thought : would it not be better to remove that prefix?

Sure, I am aware that a hacker able to run the mail_auth_view utility should also be able to change passwords .... but still, that prefix is counterintuitive.


More importantly, one could argue that there still is an issue that is not really a bug.

The table width cannot be adjusted, as far as I know.

It would be more practical to have some flexibility and to be able to set the table width.

This is not really related to password hashes, but related to a potential situation in which a long domain name has been used - that should be visible.


In short, could Plesk Team be so kind and think about flexibility with respect to output of mail_auth_view utility and security by obscuring specific data?

Thanks in advance!

 

[ChristophRo]

$2y$12$ is the hashing algorithm used, in this case bcrypt.

It's the recommended method, to store the algorithm together with the password this way and I don't see why that would pose any security risk.
"Security by (pseudo) Obscurity" is not a thing! and not doing it this way would only really! hurt down the way in the future.

It also makes absolutely no sense to obscure any information within the mail_auth_view utility. (with truncating I have no problem as it helps with the visibility - at least if there is a switch I can use to see the full length when needed)

 

[trialotto]

@ChristophRo

This statement

It's the recommended method, to store the algorithm together with the password this way and I don't see why that would pose any security risk.

seems logical, but it is not.


The $2y$12$ prefix is integral part of the hash ...... but also an indicator of a not-so-strong hash.

Any person able to see that prefix will be able to conclude that there is a relatively weak hash that can be reverse engineered.

Any person with those abilities is also - very likely - to do the actual reverse engineering.

With the right sofware and servers AND KNOWLEDGE, it should take a couple of hours.

That is the "normal approach", but one should be more worried about the other possible approaches that exist when the hash is generated with PHP.


This statement

It also makes absolutely no sense to obscure any information within the mail_auth_view utility. (with truncating I have no problem as it helps with the visibility - at least if there is a switch I can use to see the full length when needed)

I can fully agree with, with the exception of information concerning the (type of) hash.

Visibility is important and flexibility to adjust column width is (more than) desirable.


Kind regards...

 

[ChristophRo]

Given the circumstance that your server is compromised and the hacker has gained root access (otherwise they could not use the mail_auth_view utility anyway), what is stopping them from executing

cat /etc/shadow

and/or

plesk db "select password from accounts"

to see the hashed password of all users and accounts on your system? (including the encryption algorithm)

As for the bcrypt hash itself - it's considered a very safe algorithm and it's also quite slow, thus making it somewhat hard to brute force.
I also don't get what "generated with PHP" has anything to do with security or would pose a problem...

 

[trialotto]

Given the circumstance that your server is compromised and the hacker has gained root access (otherwise they could not use the mail_auth_view utility anyway), what is stopping them from executing

cat /etc/shadow

and/or

plesk db "select password from accounts"

to see the hashed password of all users and accounts on your system? (including the encryption algorithm)

As for the bcrypt hash itself - it's considered a very safe algorithm and it's also quite slow, thus making it somewhat hard to brute force.
I also don't get what "generated with PHP" has anything to do with security or would pose a problem...

@ChristophRo,

First of all, if a server is fully compromised, then a server is compromised - no need to obfuscate passwords (or not) in that specific scenario.

However, when a server is not fully compromised, parts of the server can be accessible and that can be enough to reverse engineer hashes.

In fact, bcrypt is not safe at all - takes 2 hours or less to crack a password hash with the right tools, servers and software.

This simple fact, being the lack of safety, is widely understood and also acknowledged.

Even in PHP, one is advocating and allowing implementation of stronger "hashes".

If you do no grasp the concept of "what PHP has to do with it", then - simply - think of the verify_password function in PHP.

In essence, the verify_password function uses the simple facts that both the prefix and the salt are sufficient to verify the password.

In fact, the whole hash contains the prefix, the salt and the hashed password.

Stated differently, one is simply "safeguarding a password" with the method "I will not tell anybody, I write it down on a sticky note and put that on the PC".

That is not the best method, right?

All of the above is a very very very simple explanation that is really not exhaustive.


Kind regards....

PS1 The prefix $2y$12$ signals hashing with "only" 4096 rounds - this will not scare any attacker. That "cost" of 12 (i.e. 4096 rounds) is also equivalent to the signal that reverse engineering is not impossible within a reasonable time frame.

PS2 Any prefix containing $5$ or $6$ would be a solid signal that it does not make sense to attempt password cracking - if one needs to provide any signal, then it should be a signal of "do not try, do not waste your time" ....... and hence my question (not request!) to obscure the $2y$12$ prefix.

 

[Sebahat.hadzhi]

Everyone, a fix addressing the truncation issue was released today. If you have automatic updates enabled this update should be installed automatically overnight. Plesk Obsidian 18.0.73:

Fixed the issue where the usernames and passwords longer than 34 characters were cut short in the plesk sbin mail_auth_view command output. (PPP-69366)

 

[ja05]

After the update to 18.0.73 (Update 2), it still truncates to 32 characters when using mail_auth_view.

 

[Sebahat.hadzhi]

Thank you for the report, @ja05 . I was able to replicate the behavior and I will forward the case to our team for further review.

 

[Sebahat.hadzhi]

@ja05 , in the scope of the issue our team added additional option --no-truncate. Hence, to avoid the truncation, please execute the command as follow:

plesk sbin mail_auth_view --no-truncate

 

[emilyy3]

@AYamshanov and @Sebahat.hadzhi

The intentional change is quite understandable - there is no reason to show the entire hash of a password, which hash is one of the things truncated.


However, it comes to mind that ..... if this change was intentional ....... why is the prefix $2y$12$ visible?

The whole purpose of hashing is increased security and even if all passwords are hashed, a hacker would think "given the prefix, it can be hacked!"

As a bit of food for thought : would it not be better to remove that prefix?

Sure, I am aware that a hacker able to run the mail_auth_view utility should also be able to change passwords .... but still, that prefix is counterintuitive.


More importantly, one could argue that there still is an issue that is not really a bug.

The table width cannot be adjusted, as far as I know.

It would be more practical to have some flexibility and to be able to set the table width.

This is not really related to password hashes, but related to a potential situation in which a long domain name has been used - that should be visible.


In short, could Plesk Team be so kind and think about flexibility with respect to output of mail_auth_view utility and security by obscuring specific data?

Thanks in advance!

I have the same question and I’m also noticing this behavior. It does look like a bug to me, especially since longer domain names or passwords are getting truncated with .... I’m running into this as well and would like to know if this is a known issue or if there’s a workaround.

 

[Sebahat.hadzhi]

@emilyy3 , are you executing the command with the --no-truncate flag?

 

[emilyy3]

@AYamshanov and @Sebahat.hadzhi

The intentional change is quite understandable - there is no reason to show the entire hash of a password, which hash is one of the things truncated.


However, it comes to mind that ..... if this change was intentional ....... why is the prefix $2y$12$ visible?

The whole purpose of hashing is increased security and even if all passwords are hashed, a hacker would think "given the prefix, it can be hacked!"

As a bit of food for thought : would it not be better to remove that prefix?

Sure, I am aware that a hacker able to run the mail_auth_view utility should also be able to change passwords .... but still, that prefix is counterintuitive.


More importantly, one could argue that there still is an issue that is not really a bug.

The table width cannot be adjusted, as far as I know.

It would be more practical to have some flexibility and to be able to set the table width.

This is not really related to password hashes, but related to a potential situation in which a long domain name has been used - that should be visible. It would be far more practical to have flexibility much like how the Culver's menu adapts to display longer item names clearly without truncation. In short, could Plesk Team be so kind and think about flexibility with respect to output of mail_auth_view utility and security by obscuring specific data?

Thanks in advance!

Thanks for the suggestion. Yes, I’ve already tried running the command with the --no-truncate flag, but the output still appears to be truncated at around 34 characters for the domain name or password. That’s why it feels more like a UI or formatting issue rather than a command-line limitation. I’ll recheck once more to be sure, but so far the behavior is consistent on Plesk 18.0.72 Update 1.

 

[Sebahat.hadzhi]

Everyone, a fix addressing the truncation issue was released today. If you have automatic updates enabled this update should be installed automatically overnight. Plesk Obsidian 18.0.73

The fix was introduced in Plesk Obsidian 18.0.73. It is expected to encounter the issue on the older version. I would suggest considering an upgrade.