1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Passwords are not PLAIN anymore in Plesk 11?

Discussion in 'Plesk 11.x for Linux' started by HoracioS, Jun 25, 2012.

  1. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    Since the Plesk v11.09 MU#1 all the passwords are stored in $AES-128-CBC$ cypher format.

    Can I change or back to PLAIN again?

    Thanks,
    Horacio
     
  2. paulieG

    paulieG Regular Pleskian

    25
     
    Joined:
    Mar 5, 2009
    Messages:
    164
    Likes Received:
    0
    Location:
    Lancaster
    Hi,

    No I'm afraid not (according to the documentation). As far as I recall the upgrade process won't auto-convert the passwords, you have to activate it, new installs though will always have encrypted passwords.

    Paul.
     
  3. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    And its a good thing that these passwords are now encrypted.
     
  4. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    I think it could be an option in the panel to be encrypted or not.
    Depending on your customer service would be a pain to change permanently your users´s passwords and you or your customers cannot use tools like PowerToys ...

    regards,
    Horacio
     
  5. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    By default the passwords are not encrypted. You have to enter a security key or and enable in security settings for the server wide password encryption to take place.
     
  6. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    Yes, you are right!!!

    Home-->Tools & Settings-->Security Policy

    But take care about this....

    The enhanced security mode is turned on.

    This means the following:
    All sensitive data in Panel are reliably protected from unauthorized access.
    If you employ third-party software which uses the Panel remote API, note that it may be affected by the mode. Specifically, in the enhanced security mode, Panel prohibits obtaining sensitive data (such as user passwords) through the API.

    Note that the enhanced security mode cannot be turned off.
     
  7. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    In new installations, the enhanced security mode is turned on by default.

    Anybody know how to install a new server with this mode turned off ? Not upgrading from 10.x please...

    Regards,
    Horacio
     
  8. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Look at misc table secure_passwords param.
     
  9. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    Thank you IgorG !!!
    This parameter in MYSQL was the solution I needed!!!!

    Best regards,
    Horacio
     
  10. abdi

    abdi Platinum Pleskian

    31
    18%
    Joined:
    May 14, 2006
    Messages:
    2,913
    Likes Received:
    60
    Thanx for that information Igor.
     
  11. Corné

    Corné New Pleskian

    11
     
    Joined:
    Apr 12, 2012
    Messages:
    19
    Likes Received:
    0
    upgrade

    So, if I do an upgrade from Plesk 10 to 11 the encryption is turned off by default?
     
  12. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Yes, it is disabled in case of upgrade and enabled in case of fresh installation.
     
  13. LarsenD

    LarsenD Regular Pleskian

    22
    23%
    Joined:
    Apr 12, 2011
    Messages:
    131
    Likes Received:
    1
    And I can enable the encryption by activating the enhanced security mode? I´m still at Plesk 10 but want to know this for later.
     
  14. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    Yes, you can. Just go to Home>Tools & Settings>Security Policy
     
  15. COnradoC

    COnradoC New Pleskian

    12
    60%
    Joined:
    Jan 24, 2012
    Messages:
    4
    Likes Received:
    0
    if you use an external Mysql Database you must also change the Passord for the admin Account, because plesk gets an Access Denied from Mysql. It seems that Plesk use encrypted Password to connect to mysql if enhanced security mode is turned on.

    you can do this by logging in to the external Mysql Insatance as root and change the Password for the admin Account with
     
  16. Frater

    Frater Regular Pleskian

    18
     
    Joined:
    Oct 17, 2011
    Messages:
    173
    Likes Received:
    3
    I have written several scripts to get info like an FTP-password and parts don't work anymore.
    With what hash can I decrypt these passwords and what would be the best command in bash to do this?
     
  17. HoracioS

    HoracioS Regular Pleskian

    28
    90%
    Joined:
    Oct 30, 2009
    Messages:
    159
    Likes Received:
    5
    Location:
    Buenos Aires, Miami, Boston & Tel-Aviv
    I wrote a little script for Plesk to write passwords in PLAIN text (disable Enhanced Security Mode in Security Policy section anytime). With Enhanced Security Mode disabled, you can still use PowerToys or other tools/scripts to read the passwords.

    Best regards,
    Horacio D. Stolovitzky

    #!/bin/bash

    MYSQL_BIN=`which mysql`
    WGET_BIN=`which wget`
    CHMOD_BIN=`which chmod`
    CHOWN_BIN=`which chown`
    TOUCH_BIN=`which touch`

    /bin/rm -f /tmp/sec_pass

    $MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "select val into outfile '/tmp/sec_pass' FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' from psa.misc where param = 'secure_passwords';"

    VALOR_ACTUAL=`cat /tmp/sec_pass`

    echo "El valor de actual de la la variable secure_passwords es: $VALOR_ACTUAL ";
    echo "Desea Cambiarlo a o dejarlo en este valor ? ( S/N )"
    echo " "
    echo " "
    echo " "
    read SN

    if [ "$SN" == "S" ] || [ "$SN" == "s" ]; then
    if [ "$VALOR_ACTUAL" == "true" ]; then
    echo "Actualizo el valor a FALSO !!!"
    $MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "update psa.misc SET val = 'false' where param = 'secure_passwords';"
    else
    echo "Actualizo el Valor a VERDADERO !!!"
    $MYSQL_BIN -uadmin -p`cat /etc/psa/.psa.shadow` -e "update psa.misc SET val = 'true' where param = 'secure_passwords';"
    fi
    else
    echo "Usted decidio dejar el valor en $VALOR_ACTUAL"
    fi
     
  18. Frater

    Frater Regular Pleskian

    18
     
    Joined:
    Oct 17, 2011
    Messages:
    173
    Likes Received:
    3
    I will consider to change the security in Plesk, but I would rather decode the password in my scripts.
    Or is the hash with which it is encrypted not available to me?

    Is its hash unique to my server or is it a Plesk hash?

    Security through obscurity was and is a bad thing!
    Please be open about it....
     
  19. Frater

    Frater Regular Pleskian

    18
     
    Joined:
    Oct 17, 2011
    Messages:
    173
    Likes Received:
    3
    I think I'm close with this command:

    echo <encrypted password> | openssl enc -aes-128-cbc -a -d -salt -pass pass:`cat /etc/psa/private/secret_key`

    The problem is that it isn't able to use the content of /etc/psa/private/secret_key
    Maybe it needs this program?

    /usr/local/psa/admin/sbin/pkey2rsapkey

    Come on! help me!
     
  20. Frater

    Frater Regular Pleskian

    18
     
    Joined:
    Oct 17, 2011
    Messages:
    173
    Likes Received:
    3
    Why is no-one responding to this thread?
     
Loading...