Passwords are not PLAIN anymore in Plesk 11?

[HoracioS]

Since the Plesk v11.09 MU#1 all the passwords are stored in $AES-128-CBC$ cypher format.

Can I change or back to PLAIN again?

Thanks,
Horacio

 

[paulieG]

Hi,

No I'm afraid not (according to the documentation). As far as I recall the upgrade process won't auto-convert the passwords, you have to activate it, new installs though will always have encrypted passwords.

Paul.

 

[abdi]

And its a good thing that these passwords are now encrypted.

 

[HoracioS]

I think it could be an option in the panel to be encrypted or not.
Depending on your customer service would be a pain to change permanently your users´s passwords and you or your customers cannot use tools like PowerToys ...

regards,
Horacio

 

[abdi]

By default the passwords are not encrypted. You have to enter a security key or and enable in security settings for the server wide password encryption to take place.

 

[HoracioS]

Yes, you are right!!!

Home-->Tools & Settings-->Security Policy

But take care about this....

The enhanced security mode is turned on.

This means the following:
All sensitive data in Panel are reliably protected from unauthorized access.
If you employ third-party software which uses the Panel remote API, note that it may be affected by the mode. Specifically, in the enhanced security mode, Panel prohibits obtaining sensitive data (such as user passwords) through the API.

Note that the enhanced security mode cannot be turned off.

 

[HoracioS]

In new installations, the enhanced security mode is turned on by default.

Anybody know how to install a new server with this mode turned off ? Not upgrading from 10.x please...

Regards,
Horacio

 

[IgorG]

Look at misc table secure_passwords param.

 

[HoracioS]

Thank you IgorG !!!
This parameter in MYSQL was the solution I needed!!!!

Best regards,
Horacio

 

[abdi]

Look at misc table secure_passwords param.

Thanx for that information Igor.

 

[Corné]

upgrade

So, if I do an upgrade from Plesk 10 to 11 the encryption is turned off by default?

 

[IgorG]

Yes, it is disabled in case of upgrade and enabled in case of fresh installation.

 

[LarsenD]

And I can enable the encryption by activating the enhanced security mode? I´m still at Plesk 10 but want to know this for later.

 

[IgorG]

And I can enable the encryption by activating the enhanced security mode? I´m still at Plesk 10 but want to know this for later.

Yes, you can. Just go to Home>Tools & Settings>Security Policy

 

[COnradoC]

if you use an external Mysql Database you must also change the Passord for the admin Account, because plesk gets an Access Denied from Mysql. It seems that Plesk use encrypted Password to connect to mysql if enhanced security mode is turned on.

you can do this by logging in to the external Mysql Insatance as root and change the Password for the admin Account with

update user set password=PASSWORD('YOU_UNENCRYTED_PASSWORD') where user='admin';

 

[Frater]

I have written several scripts to get info like an FTP-password and parts don't work anymore.
With what hash can I decrypt these passwords and what would be the best command in bash to do this?

 

[HoracioS]

I wrote a little script for Plesk to write passwords in PLAIN text (disable Enhanced Security Mode in Security Policy section anytime). With Enhanced Security Mode disabled, you can still use PowerToys or other tools/scripts to read the passwords.

Best regards,
Horacio D. Stolovitzky

#!/bin/bash

MYSQL_BIN=`which mysql`
WGET_BIN=`which wget`
CHMOD_BIN=`which chmod`
CHOWN_BIN=`which chown`
TOUCH_BIN=`which touch`

/bin/rm -f /tmp/sec_pass

$MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "select val into outfile '/tmp/sec_pass' FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' from psa.misc where param = 'secure_passwords';"

VALOR_ACTUAL=`cat /tmp/sec_pass`

echo "El valor de actual de la la variable secure_passwords es: $VALOR_ACTUAL ";
echo "Desea Cambiarlo a o dejarlo en este valor ? ( S/N )"
echo " "
echo " "
echo " "
read SN

if [ "$SN" == "S" ] || [ "$SN" == "s" ]; then
if [ "$VALOR_ACTUAL" == "true" ]; then
echo "Actualizo el valor a FALSO !!!"
$MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "update psa.misc SET val = 'false' where param = 'secure_passwords';"
else
echo "Actualizo el Valor a VERDADERO !!!"
$MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "update psa.misc SET val = 'true' where param = 'secure_passwords';"
fi
else
echo "Usted decidio dejar el valor en $VALOR_ACTUAL"
fi

 

[Frater]

I wrote a little script for Plesk to write passwords in PLAIN text (disable Enhanced Security Mode in Security Policy section anytime). With Enhanced Security Mode disabled, you can still use PowerToys or other tools/scripts to read the passwords.

I will consider to change the security in Plesk, but I would rather decode the password in my scripts.
Or is the hash with which it is encrypted not available to me?

Is its hash unique to my server or is it a Plesk hash?

Security through obscurity was and is a bad thing!
Please be open about it....

 

[Frater]

I think I'm close with this command:

echo <encrypted password> | openssl enc -aes-128-cbc -a -d -salt -pass pass:`cat /etc/psa/private/secret_key`

The problem is that it isn't able to use the content of /etc/psa/private/secret_key
Maybe it needs this program?

/usr/local/psa/admin/sbin/pkey2rsapkey

Come on! help me!

 

[Frater]

Why is no-one responding to this thread?