You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is a common security best practice to store authentication/password verifiers on the server side in a hashed format to reduce the impact / increase the effort for attackers should they be able to gain access to the configuration data. This could happend via an unsecured backup file for example.
There are multiple places where plaintext password/key verifiers are stored:
This issue is about supporting a strong hashformat to protect password verifier / to avoid storing plaintext passwords/keys in the server configuration where possible.
Default filesystem permissions of configuration files should not allow any access to "other".
The text was updated successfully, but these errors were encountered:
The setKey configuration seems to be used by the console https://dnsdist.org/guides/console.html, so you can do "dnsdist -c" and connect to the running process without having to provide the key on the command line. Storing in a hashed format would break this for local clients unless you provided an alternate configuration file.
Description
It is a common security best practice to store authentication/password verifiers on the server side in a hashed format to reduce the impact / increase the effort for attackers should they be able to gain access to the configuration data. This could happend via an unsecured backup file for example.
There are multiple places where plaintext password/key verifiers are stored:
https://dnsdist.org/reference/config.html#setKey
https://dnsdist.org/reference/config.html#webserver
and maybe other locations?
This issue is about supporting a strong hashformat to protect password verifier / to avoid storing plaintext passwords/keys in the server configuration where possible.
Default filesystem permissions of configuration files should not allow any access to "other".
The text was updated successfully, but these errors were encountered: