Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

USG - config files carry passwords plain text ...

[ Edited ]

Hey,

 

I just realized that all passwords for radius server and users as well as pre-shared-keys for L2TP VPN are stored PLAIN TEXT in /config/config.boot. Is it still best-practise to do so in 2018?

 

Cheers.

Established Member
Posts: 1,945
Registered: ‎01-30-2016
Kudos: 999
Solutions: 244

Re: USG - config files carry passwords plain text ...

uhh... just checked you're right!!!

Please give kudo's to the people who have helped you and mark your thread as solved when you receive a solution to your issue.
For a deeper understanding on how WiFi works.
Certified UEWA, ACSP, ACTC
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

I perceive this to be a severe security issue and I opened a support ticket.

Regular Member
Posts: 717
Registered: ‎06-01-2016
Kudos: 104
Solutions: 24

Re: USG - config files carry passwords plain text ...

I think this is due to thefact that you can have different authentication methods; you can’t hash a password and be able to authenticate with (say) both PAP and MSPCHAP. If you hash for one, and the authentication method changes, all new passwords are required.
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

It's getting worse and worse, the more I look into it.

 

What happened since my first post?

 

First, let me state that support is in dialogue with me, since I opened my ticket. And I appreciate the fast response and their tracking a lot! Kudos!

 

However, whilst installing my first USG to my existing network I stumbled about some GUI limitations and went CLI. I do like the documentation, in particular about config.gateway.json. One thing that though shocked me tonight, is, that the USG shows plain-text passwords all around!

 

Just check it ... login to your USG, type configure followed by mca-ctrl -t dump-cfg et violá (or should I say "BANG") ... VPN shared secret, user passwords, radius server passwords ALL plain text, although not everywhere in the system.

 

My simple assumption is ... there should be no plain-text password stored on any of my devices. This is in particular key for front-runner devices like router / firewalls. Am I paranoid? I am about to drop my USG back to my reseller. My device is up and running now and I'd love to keep it. But ...

 

Any thoughts on this? Am I paranoid? I am not a security expert, but I recall my bank saying "You should never ever notice your credit card pin anywhere!".

 

Cheers

-----

USG8-60W, 2xUS24, AP-Pro, USG-Pro - Controller 5.8.21, FW USW/AP 3.9.37.9029, USG 4.4.22.5086057

Member
Posts: 233
Registered: ‎06-19-2015
Kudos: 42
Solutions: 6

Re: USG - config files carry passwords plain text ...

[ Edited ]

I think it is meant to output for diag in plain txt. By that I mean "mca-ctrl -t dump-cfg"  is meant dump to plain text. Just like the service passwords encrypt on cisco devices. I think if you do a show run from the CLI it shows the passwords not in plain text?

Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

Well ... it does. My first finding was the file /config/config.boot. A simple cat /config/config.boot shows everythin plain text too.

Veteran Member
Posts: 5,127
Registered: ‎06-13-2015
Kudos: 1370
Solutions: 238

Re: USG - config files carry passwords plain text ...

To all: this isn’t at all uncommon for application config files on linux systems. It becomes all the more important to create strong passwords for accounts and to make sure file permissions are set as strict as possible.

 

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

I haven't had any permission challenges ... normal login just works to show everything.

 

Maybe I should think about it differently? I can see this sensitive data only, if I locked in to my system. Via ssh. But, user/password are the same for ALL unifi controller controlled devices. Which, by definition, is not best practise as well. That's why I was considering looking at options to change this as well.

 

I should be able to disallow ssh-login with user/password and only allow it with ssh-keys, shouldn't I? Wouldn't this protect the data to the best possible level?

 

Anyway, there are ways to avoid passwords being stored plain text. It is not always easy, I know, but it seriously should be considered by Ubiquiti to change this, as soon as possible. Just in case Man Happy

Established Member
Posts: 1,721
Registered: ‎11-12-2015
Kudos: 472
Solutions: 49

Re: USG - config files carry passwords plain text ...

In general passwords shouldn't be stored in the clear *anywhere*. Nor should the be stored using reversible encryption.

 

Regular Member
Posts: 717
Registered: ‎06-01-2016
Kudos: 104
Solutions: 24

Re: USG - config files carry passwords plain text ...

ssh Passwords are encrypted on EdgeMax; would be surprised if that is not the case on Unifi. L2TP as I understand it cannot be encrypted because of different authentication protocols. If you want to improve the security, you need to go to an external RADIUS server.
Established Member
Posts: 1,480
Registered: ‎04-22-2016
Kudos: 338
Solutions: 119

Re: USG - config files carry passwords plain text ...

[ Edited ]

@youme3

 

Hi, I see your point, but if somebody can get access to your USG, you've got a bigger problem to solve.

Please reward people who have helped you with kudo's and mark your thread as solved when you receive a solution to your issue.
SuperUser
Posts: 14,705
Registered: ‎12-08-2008
Kudos: 11513
Solutions: 704
Contributions: 1

Re: USG - config files carry passwords plain text ...

This becomes a quasi-religous argument, akin to vi vs emacs.   There are advantages to having passwords hashed, but that doesn't mean that with access to the hashes you can't use them to make hacking easier.   Plain text has advantages during development and in some operations, but it's not a black and white OMG it's evil and must be destroyed kind of thing either.   I would guess this is being looked at carefully, and it's in the pipeline to be done, but several posters have been 100% right too - if I can get access to your device to even look at those files you're already sunk.   

 

Security needs to be in layers with redundancy and fallbacks, and include physical security as well.   Every case will be different, just like every installation is different.   That said, more security is usually better than less, but it's also not always needed.

 

We have a lot of USG installations, including some really big ones, and we don't see this as an issue becaues we have other precautions we take to limit access.   If lots of people can get root access to your device, you've already done things very very badly...

Jim

" How can anyone trust Scientists? If new evidence comes along, they change their minds! " Politician's joke (sort of...)
"Humans are allergic to change..They love to say, ‘We’ve always done it this way.’ I try to fight that. "Admiral Grace Hopper, USN, Computer Scientist
"Sorry but I just don't have a fix for willful ignorance, unless you count time and Darwin.... "
"Just because you can do something doesn't mean you should."my mantra in the Programming classes I used to teach once upon a time...
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

I know, cempa, I know ... keep fingers crossed it never occurs Man Very Happy
Emerging Member
Posts: 42
Registered: ‎05-02-2018
Kudos: 24
Solutions: 1

Re: USG - config files carry passwords plain text ...

[ Edited ]

Hey eejimm,

 

I get your point. For me, though, plain text passwords are evil. Maybe cause I am not only triggered / socialized by my bank but also my employer who expects us to respect corresponding compliance policies Man Very Happy

 

I understand that there are additional options to mitigate risks. And I will have a look at how to harden my environment. Well ... talking about risks:  I am a home user only. And while I can not scale money, expertise, etc. like companies (should) do, I might not be of a particular interest for threats anyway ... but who knows?

 

 Cheers

New Member
Posts: 1
Registered: ‎08-15-2016

Re: USG - config files carry passwords plain text ...

Scary. I found this today.

Established Member
Posts: 872
Registered: ‎10-13-2016
Kudos: 372
Solutions: 45

Re: USG - config files carry passwords plain text ...

if someone has access to your router at that level to view the config you have more problems.

 

you can get plain text psk and stuff like that from a cisco router's cli too.

 

1 Controller VM / 130+ sites / 100+ routers / 250+ switches / 350+ aps
UniFi / EdgeMAX / AirMAX / AirFiber
Member
Posts: 167
Registered: ‎09-23-2016
Kudos: 67
Solutions: 2

Re: USG - config files carry passwords plain text ...

I like my passwords in clear text. As long as the password to access said information is strong enough. If someone is really motivated to get passwords they will find a way, it's just a matter of skill and time.

Emerging Member
Posts: 53
Registered: ‎11-22-2017
Kudos: 11

Re: USG - config files carry passwords plain text ...

Well, as a security professional this is concerning, but as previously mentioned, a separate VPN/RADIUS server would be required to fix this.  This is not necessarily a UBNT issue as it would be the case with most any networking vendor.  

 

On that note, does anyone have a recommendation on an easy to setup RADIUS box?  OpenRADIUS is a pain in the a** but not sure if things have improved with it or not. 

Highlighted
Emerging Member
Posts: 53
Registered: ‎11-22-2017
Kudos: 11

Re: USG - config files carry passwords plain text ...

Well, as a security professional this is concerning, but as previously mentioned, a separate VPN/RADIUS server would be required to fix this.  This is not necessarily a UBNT issue as it would be the case with most any networking vendor.  

 

On that note, does anyone have a recommendation on an easy to setup RADIUS box?  OpenRADIUS is a pain in the a** but not sure if things have improved with it or not.