New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Security) How to change default passwords #333

Open
amavarick opened this Issue Oct 15, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@amavarick
Copy link
Contributor

amavarick commented Oct 15, 2017

Looking through the docs, I don't see clear guidance on altering default passwords. If you have anything else to add, please feel free. I plan to include icecast and ldap as I look into them and maybe others as I find them. I will update this first post with changes so this should be consolidated regardless of future post comments till this can be vetted and added to the docs. Ideal would be a hardening script where these can be updated by command option to something unique.

[Icecast Admin] Needs Work - Solution Provided
Default is admin:hackme It's very important to change as someone can kill your source, move your listeners, update your metadata and list your clients. Appears to be through the web gui BUT when changed doesn't appear to apply on backend as default admin:hackme works regardless of what is defined in web gui. To alter your admin username and(or) password:
Edit the following file:
/etc/icecast2/icecast.xml
Replace the admin and hackme field below with your own username and password.

    <authentication>
        ...
        <!-- Admin logs in with the username given below -->
        <admin-user>admin</admin-user>
        <admin-password>hackme</admin-password>
        ...
    </authentication>

Restart your icecast2 service
service icecast2 restart
Note: There may be a bug with the GUI as it does not show the new username and password that you setup in the icecast.xml file but this should otherwise work.

[Icecast Mount Password] Needs Work
Default is hackme I know this would be the password that liquidsoap passes to icecast to be able to play for the primary mount but I don't know if this is only on localhost or available on the public IP. Help appreciated to complete this one.

Edit the following file:
/etc/icecast2/icecast.xml
Replace the hackme field below with your own password.

<icecast>
    ...
    <authentication>
        <source-password>hackme</source-password>
        ...
    </authentication>
    ...
</icecast>

Note: There may be a bug with the GUI as it does not show the updated mountpoint password that you setup in the icecast.xml file. Liquidsoap would also have to be updated to be able to mount the stream.

[LDAP] Needs Work
Default is hackme Haven't researched if the interface for this is public facing or just localhost.
FreeIPA/LDAP integration doesn't work out of the box as it needs manual configuration specific to your IPA domain. As such it's deactivated per default and won't do anything.

All in all it is a rather enterprisey feature. It has docs that detail the setup. I'm assuming those might need more thorough testing since they are mostly grabbed from my production environment.

[LibreTime] Completed
The default account/password is admin admin. Use this to login to the website for the first time. yourlibretimeserverfqdn/login Once logged on, select the "admin" link at the upper right, change the passwords and then select save.

[postgresql] Completed
sudo -u postgres psql -d postgres -tAc "ALTER USER airtime WITH ENCRYPTED PASSWORD 'newpassword';"
Then update the following files with the new password:
database section:
/etc/airtime/airtime.conf
database driver section:
/usr/share/airtime/php/airtime_mvc/build/build.properties
dsn section:
/usr/share/airtime/php/airtime_mvc/build/runtime-conf.xml

[rabbitmq] Completed
sudo rabbitmqctl change_password airtime newpassword
Then update the following file with the new password:
/etc/airtime/airtime.conf

@Robbt

This comment has been minimized.

Copy link
Member

Robbt commented Oct 15, 2017

Nice work. I had created an issue #86 around the idea of modifying the icecast password during the installer but based upon recent bug reports it appears there are issues even with saving modifications to the other passwords.

If my memory serves me correct the way you change the password for icecast is simply through modifying /etc/icecast2/icecast.xml

Now this won't change the default passwords saved in LibreTime and will instead require custom connections. (I think) I also think the Custom Streaming Preferences modification will update Liquidsoap.

Feel free to validate this.

@hairmare hairmare added the setup label Oct 15, 2017

@hairmare

This comment has been minimized.

Copy link
Member

hairmare commented Oct 15, 2017

Thanks for this awesome list! We should make sure all of these points make it into the docs (which are built from the docs/ subdir).

[Icecast]

Changing the settings under "Settings" > "Streams" actually works. The icecast docs has some info and there are examples for everything most people need in the /etc/icecast2/icecast.xml file. The config file docs from icecast helpful as well.

On a simple LibreTime only deploy you can usually get away with the following changes:

<icecast>
    ...
    <authentication>
        <source-password>hackme</source-password>
        ...
        <admin-password>hackme</admin-password>
    </authentication>
    ...
</icecast>

You can also add the source passwords on a per stream base if you use the icecast server for other purposes as well.

[LDAP] Needs Work

FreeIPA/LDAP integration doesn't work out of the box as it needs manual configuration specific to your IPA domain. As such it's deactivated per default and won't do anything.

All in all it is a rather enterprisey feature. It has docs that detail the setup. I'm assuming those might need more thorough testing since they are mostly grabbed from my production environment.

@amavarick

This comment has been minimized.

Copy link
Contributor

amavarick commented Oct 20, 2017

[icecast]
I tried to alter the icecast passwords in GUI and the fields are all greyed out. I tried verious options of switching to disabled, enabled, custom and default and still couldn't alter the field? I'm running on Debian 9 if that matters.

I updated
/etc/icecast2/icecast.xml
With the new admin username and password and then restarted liquidsoap2 service and the password change worked when logging into the icecast admin page. I went back into the GUI after closing out of it and logging back on and the changes to the icecast.xml do not reflect in the GUI.

Summary: The GUI is greyed out not allowing changes to the icecast username or password and the GUI does not update when the username or password is updated manualy through /etc/icecast2/icecast.xml

optionsgreyedout

@Robbt

This comment has been minimized.

Copy link
Member

Robbt commented Oct 21, 2017

You need to choose Custom/3rd Party Streaming to change the settings.

@amavarick

This comment has been minimized.

Copy link
Contributor

amavarick commented Oct 21, 2017

Robbt, sorry thought I mentioned in previous post that I tried those... seeing is believing though... greyed out options.
optionsgreyedout1

optionsgreyedout2

@Robbt

This comment has been minimized.

Copy link
Member

Robbt commented Oct 21, 2017

Hmm I remember having this same issue and posting a bug about it but then I tried it again and I couldn't replicate it. Are you running from the GitHub master ? I'll see if I can get it working or duplicate this, I thought we fixed this with bug #84 but evidently it is still happening.

@Robbt

This comment has been minimized.

Copy link
Member

Robbt commented Oct 23, 2017

This is the issue I opened regarding not being able to edit the settings while default is selected #236 but I am able to edit the functions. Perhaps there is a jQuery issue. Have you tried saving the form with custom / 3rd party selected. It might be that it doesn't recognize the change until after the form has been saved and then reloaded with the custom value being selected. If this ends up working or not let me know and/or feel free to add a response onto #236 and we can track fixing it from there.

@amavarick

This comment has been minimized.

Copy link
Contributor

amavarick commented Oct 25, 2017

Robbt, I have tried numerous times to duplicate the issue and have not been able to on a fresh Debian install. I'm going to go back through my hardening steps and test to see if they cause issues with modifying gui stream options. I've scripted/documented every command so I know my steps are repeatable. Just have to go back through them to see at what point this breaks if it does now.

@Robbt Robbt added this to the 3.0.0 milestone Jan 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment