Active Directory admin password is stored in the config database
After joining an Active Directory (AD) domain, the admin password entered in the web gui form is stored in the config database (/data/freenas-v1.db) in plaintext.
[root@zbox0] ~# /usr/local/bin/sqlite3 /data/freenas-v1.db SQLite version 22.214.171.124 2011-06-28 17:39:05 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> select ad_domainname, ad_adminpw from services_activedirectory; domain.com|DOMAIN_ADMIN_PASSWORD sqlite>
This could lead to a major security incident: An attacker successfully compromising the local root account of [[FreeNAS]] will also gain admin access to the AD, using the stored password.
Additionally, in deployments where AD is centrally and [[FreeNAS]] locally administered, it means that in order to enable AD authentication on [[FreeNAS]] the AD administrator will have to yield the AD admin password to all [[FreeNAS]] administrators. This would be simply unacceptable in most cases.
This problem can be fixed by serializing and storing the host credential files (secrets.tdb et al) in the database. This way the AD administrator password won't have to be stored.
Note: The serialization (base64 encoding) and storing of files in the database has already been implemented by ssh for making /etc/ssh/ssh_host_* files pesistent. It can be found in /etc/rc.d/sshd.
#6 Updated by Manolis - almost 8 years ago
Jordan Hubbard wrote:
Looks like we can't get this fix for 9.2.0 - it's a complex issue. We agree that it's a problem (security concern) but the fix is "hard".
Could you elaborate?
To my best knowledge all you have to do is serialize a bunch of .tdb files and restore them on startup. Wouldn't that be enough? Are there any hidden side-effects to this?
#8 Updated by Manolis - almost 8 years ago
"Tracker changed from Bug to Feature"
Is this some kind of joke? Like: "It's not a bug - it's a feature. It allows you to recover your AD password in case you ever lose the postit note you had written it on."
This makes FreeNAS a GAPING HOLE for the security of the network it is deployed on. It's the same as writting down the AD password in a plaintext file. Could you please take the issue more seriously? This bug is here for two years and the only action taken was to downplay it to a "Feature". Don't take any action if you don't feel like it, but don't downplay the issue and add a warning in the documentation to let the users know.
On the side of this, have a very merry Christmas!
#10 Updated by John Hixson over 7 years ago
- Status changed from Screened to Resolved
- Priority changed from Expected to Nice to have
The ability to join Active Directory without saving the Administrator password in the database now exists via 46ae467cbff9409f55dd4167b87a7808d196d9ef. Keep in mind that you can still use Administrator username/password if you choose. If not, you can use a kerberos keytab and a less privileged account for performing the LDAP queries that are necessary (but the password still remains in the database). I consider this acceptable and am marking this ticket as resolved.