Feature request: store authentication verifier in hashed format #7937
Labels
Milestone
Comments
|
The setKey configuration seems to be used by the console https://dnsdist.org/guides/console.html, so you can do "dnsdist -c" and connect to the running process without having to provide the key on the command line. Storing in a hashed format would break this for local clients unless you provided an alternate configuration file. |
|
Yes, |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
It is a common security best practice to store authentication/password verifiers on the server side in a hashed format to reduce the impact / increase the effort for attackers should they be able to gain access to the configuration data. This could happend via an unsecured backup file for example.
There are multiple places where plaintext password/key verifiers are stored:
https://dnsdist.org/reference/config.html#setKey
https://dnsdist.org/reference/config.html#webserver
and maybe other locations?
This issue is about supporting a strong hashformat to protect password verifier / to avoid storing plaintext passwords/keys in the server configuration where possible.
Default filesystem permissions of configuration files should not allow any access to "other".
The text was updated successfully, but these errors were encountered: