• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Passwords are not PLAIN anymore in Plesk 11?

With /usr/local/psa/admin/bin/mail_auth_view I can get all the e-mail passwords, but that still leaves me with the FTP / user and SQL-accounts....

BTW..... mail_auth_view also shows the aliases and implies that way one is able to login with an alias-account.
I tested this and that's not possible.
I therefore don't understand why it is giving these accounts.

I altered my script to handle it and am now only getting the real accounts.....

Code:
.
.
.
mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa -e 'select CONCAT(mail_name,"@",name) as email_address from mail left join domains on domains.id=mail.dom_id left join accounts on accounts.id=mail.account_id;' | grep "@${domein}" >${TMP2}
   /usr/local/psa/admin/bin/mail_auth_view | grep "@${domein}" |  awk -F\| '{print $2"\t\t"$4}' >${TMP3}

   while read maillogin ; do
     echo -e "\t`grep "${maillogin}" ${TMP3}`"
     /usr/local/psa/bin/mail --info  ${maillogin} | grep ^Alias | awk -F: '{print $2}' | egrep -o '[A-Za-z0-9-]+' | sed "s/.*/&@${domein}/g" >${TMP4}
     while read ALIAS ; do
       echo -e "\t\t\t\t\t\t(${ALIAS})"
     done<${TMP4}
   done<${TMP2}
.
.
.
 
I think I'm close with this command:

echo <encrypted password> | openssl enc -aes-128-cbc -a -d -salt -pass pass:`cat /etc/psa/private/secret_key`

The problem is that it isn't able to use the content of /etc/psa/private/secret_key
Maybe it needs this program?

/usr/local/psa/admin/sbin/pkey2rsapkey

Come on! help me!


I think you can make domain backup and in backup XML file try to find secret_key.
 
I would like to know as well. Security is a good thing, but there should be an option to retrieve the plain passwords. Anyone figured this one out yet?
 
What is your business case of this necessity?

A couple of examples:
- deploying a smtp-server (we need mailaccounts)
- just in case one of our customers give us a call and wants to know his ftp-password
- our own customer panel where customers can login to their plesk environment automatically. this is only possible when using a login/pass combination.

But I've figured out that it can be decrypted using the secret.key psa provides, so problem is actually solved.
 
I'm trying to do something very similar to you. How did you decrypt the password using the secret.key file? I'm having a hard time understanding the openssl usage.

A couple of examples:
- deploying a smtp-server (we need mailaccounts)
- just in case one of our customers give us a call and wants to know his ftp-password
- our own customer panel where customers can login to their plesk environment automatically. this is only possible when using a login/pass combination.

But I've figured out that it can be decrypted using the secret.key psa provides, so problem is actually solved.
 
I'm trying to do something very similar to you. How did you decrypt the password using the secret.key file? I'm having a hard time understanding the openssl usage.

There is a possibility to decrypt the mail, ftp and database passwords, but not the plesk panel login password because it's a SHA-256 one way hash. So a question for parallels left: How can we automate the login from our website (customer environment) to the plesk panel? Will this be possible in the (near) future??
 
The only thing I have interest in right now is the ability to decode the database password. Maybe not even decode the password, just to reuse it somehow.

There is a possibility to decrypt the mail, ftp and database passwords, but not the plesk panel login password because it's a SHA-256 one way hash. So a question for parallels left: How can we automate the login from our website (customer environment) to the plesk panel? Will this be possible in the (near) future??
 
The only thing I have interest in right now is the ability to decode the database password. Maybe not even decode the password, just to reuse it somehow.

Decrypt with Crypt::Rijndael, search the net for some examples how to use it in i.e. a bash or perl script
 
So I have this in a bash script, and it is telling me that the data was decrypted, but it is giving me something other than text. Any idea what I'm missing here?

dbpass='$AES-128-CBC$vx1X9Uho3Gc05oEfSOCx/w==$W2OtcPR28qdI0YaMYb27Ig=='
passstr=$(echo ${dbpass} | sed 's/\$AES-128-CBC\$//g')
decode=$(echo $passstr | base64 --decode --ignore-garbage --wrap=0 | mcrypt --bare --force --no-openpgp --algorithm rijndael-128 --keyfile /etc/psa/private/secret_key --decrypt)
echo $decode

Stdin was decrypted.
t+Ãz5èkÔ±ë
î*å


Decrypt with Crypt::Rijndael, search the net for some examples how to use it in i.e. a bash or perl script
 
What is your business case of this necessity?

Come on Igor!
It is plain to see that this is "security through obscurity"
I have root access to this server and there's no need to hide these passwords for a root user.
If these passwords are encrypted using a private key owned by Parallels, well ok...

These passwords can be decrypted by the Plesk shell, please tell me the method to decrypt them.
Now I can only
A serious hacker with more knowledge of these things has no problem gaining access to these passwords if it also has access to the keys.
He, for sure, has no problems finding the key on a system for which he has root access.
I only want the convenience to get hold of FTP-passwords
 
What is your business case of this necessity?

Come on Igor!
It is plain to see that this is "security through obscurity"
I have root access to this server and there's no need to hide these passwords for a root user.
If these passwords are encrypted using a private key owned by Parallels, well ok...

These passwords can be decrypted by the Plesk shell, please tell me the method to decrypt them.

A serious hacker with more knowledge of these things has no problem gaining access to these passwords if it also has access to the keys.
He, for sure, has no problems finding the key on a system for which he has root access.
I only want the convenience to get hold of FTP-passwords
 
I have now passwords crypted and looks like: $1$n3rh______________
Now I wondering how it was encrypted in psa database :)
 
Back
Top