Passwords are not PLAIN anymore in Plesk 11?

Discussion in 'Plesk 11.x for Linux' started by HoracioS, Jun 25, 2012.

  1. Frater

    Frater Regular Pleskian

    0
     
    Messages:
    173
    Likes Received:
    3
    Trophy Points:
    0
    With /usr/local/psa/admin/bin/mail_auth_view I can get all the e-mail passwords, but that still leaves me with the FTP / user and SQL-accounts....

    BTW..... mail_auth_view also shows the aliases and implies that way one is able to login with an alias-account.
    I tested this and that's not possible.
    I therefore don't understand why it is giving these accounts.

    I altered my script to handle it and am now only getting the real accounts.....

    Code:
       
    .
    .
    .
    mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e 'select CONCAT(mail_name,"@",name) as email_address from mail left join domains on domains.id=mail.dom_id left join accounts on accounts.id=mail.account_id;' | grep "@${domein}" >${TMP2}
       /usr/local/psa/admin/bin/mail_auth_view | grep "@${domein}" |  awk -F\| '{print $2"\t\t"$4}' >${TMP3}
    
       while read maillogin ; do
         echo -e "\t`grep "${maillogin}" ${TMP3}`"
         /usr/local/psa/bin/mail --info  ${maillogin} | grep ^Alias | awk -F: '{print $2}' | egrep -o '[A-Za-z0-9-]+' | sed "s/.*/&@${domein}/g" >${TMP4}
         while read ALIAS ; do
           echo -e "\t\t\t\t\t\t(${ALIAS})"
         done<${TMP4}
       done<${TMP2}
    .
    .
    .
    
     
  2. OlgerdasB

    OlgerdasB New Pleskian

    6
    70%
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    67

    I think you can make domain backup and in backup XML file try to find secret_key.
     
  3. gijsbert

    gijsbert Basic Pleskian

    14
    85%
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    197
    I would like to know as well. Security is a good thing, but there should be an option to retrieve the plain passwords. Anyone figured this one out yet?
     
  4. IgorG

    IgorG Forums Analyst Plesk Team

    37
     
    Messages:
    22,378
    Likes Received:
    625
    Trophy Points:
    882
    Location:
    Novosibirsk, Russia
    What is your business case of this necessity?
     
  5. gijsbert

    gijsbert Basic Pleskian

    14
    85%
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    197
    A couple of examples:
    - deploying a smtp-server (we need mailaccounts)
    - just in case one of our customers give us a call and wants to know his ftp-password
    - our own customer panel where customers can login to their plesk environment automatically. this is only possible when using a login/pass combination.

    But I've figured out that it can be decrypted using the secret.key psa provides, so problem is actually solved.
     
  6. TaylorS81

    TaylorS81 New Pleskian

    0
     
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    I'm trying to do something very similar to you. How did you decrypt the password using the secret.key file? I'm having a hard time understanding the openssl usage.

     
  7. gijsbert

    gijsbert Basic Pleskian

    14
    85%
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    197
    There is a possibility to decrypt the mail, ftp and database passwords, but not the plesk panel login password because it's a SHA-256 one way hash. So a question for parallels left: How can we automate the login from our website (customer environment) to the plesk panel? Will this be possible in the (near) future??
     
  8. TaylorS81

    TaylorS81 New Pleskian

    0
     
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    The only thing I have interest in right now is the ability to decode the database password. Maybe not even decode the password, just to reuse it somehow.

     
  9. gijsbert

    gijsbert Basic Pleskian

    14
    85%
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    197
    Decrypt with Crypt::Rijndael, search the net for some examples how to use it in i.e. a bash or perl script
     
  10. TaylorS81

    TaylorS81 New Pleskian

    0
     
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    So I have this in a bash script, and it is telling me that the data was decrypted, but it is giving me something other than text. Any idea what I'm missing here?

    dbpass='$AES-128-CBC$vx1X9Uho3Gc05oEfSOCx/w==$W2OtcPR28qdI0YaMYb27Ig=='
    passstr=$(echo ${dbpass} | sed 's/\$AES-128-CBC\$//g')
    decode=$(echo $passstr | base64 --decode --ignore-garbage --wrap=0 | mcrypt --bare --force --no-openpgp --algorithm rijndael-128 --keyfile /etc/psa/private/secret_key --decrypt)
    echo $decode

    Stdin was decrypted.
    t+Ãz5èkÔ±ë
    î*å


     
  11. Frater

    Frater Regular Pleskian

    0
     
    Messages:
    173
    Likes Received:
    3
    Trophy Points:
    0
    Come on Igor!
    It is plain to see that this is "security through obscurity"
    I have root access to this server and there's no need to hide these passwords for a root user.
    If these passwords are encrypted using a private key owned by Parallels, well ok...

    These passwords can be decrypted by the Plesk shell, please tell me the method to decrypt them.
    Now I can only
    A serious hacker with more knowledge of these things has no problem gaining access to these passwords if it also has access to the keys.
    He, for sure, has no problems finding the key on a system for which he has root access.
    I only want the convenience to get hold of FTP-passwords
     
  12. Frater

    Frater Regular Pleskian

    0
     
    Messages:
    173
    Likes Received:
    3
    Trophy Points:
    0
    Come on Igor!
    It is plain to see that this is "security through obscurity"
    I have root access to this server and there's no need to hide these passwords for a root user.
    If these passwords are encrypted using a private key owned by Parallels, well ok...

    These passwords can be decrypted by the Plesk shell, please tell me the method to decrypt them.

    A serious hacker with more knowledge of these things has no problem gaining access to these passwords if it also has access to the keys.
    He, for sure, has no problems finding the key on a system for which he has root access.
    I only want the convenience to get hold of FTP-passwords
     
  13. Frater

    Frater Regular Pleskian

    0
     
    Messages:
    173
    Likes Received:
    3
    Trophy Points:
    0
    Could you please be clear about it?
    A little example please...
     
  14. lvalics

    lvalics Silver Pleskian Plesk Guru

    29
    90%
    Messages:
    955
    Likes Received:
    26
    Trophy Points:
    597
    Location:
    Romania
    I have now passwords crypted and looks like: $1$n3rh______________
    Now I wondering how it was encrypted in psa database :)
     

Share This Page

Loading...