OpenVAS Change Request #31: OpenVAS-Server: Remove support for plaintext password storage
To ensure OpenVAS user passwords are not accidentally disclosed.
New OpenVAS users are currently created by the server administrator using the openvas-adduser script shipped with openvas-server. The user password is currently stored using two 128-bit checksums produced by the MD5 message digest algorithm (for details see openvas-adduser.in) to ensure that even if the file containing the stored passwords is obtained by a malicious individual, it will not be trivial to derive the password needed to access the OpenVAS server from the information contained in this file.
openvas-adduser first tries to use the command "openssl md5" command to produce MD5 checksums. If this fails, it will try the "md5sum" command. If neither command is available in the current path or in the directories searched by openvas-adduser, the script will continue to run, but will store the user password in plaintext in case password authentication is chosen without informing the server administrator that the password will be stored in plaintext.
The openvas-server process (openvasd) currently supports this authentication mechanism as a last resort in case the file containing the hashed password cannot be opened.
The behaviour described above was inherited from Nessus. This issue will only manifest itself if neither "openssl" nor "md5sum" is available during user creation. Since the "openssl" executable is necessary during server certificate creation (which usually happens before user creation) and the "md5sum" executable is an integral part of most (if not all) modern distributions, plaintext password storage is unlikely to occur under most circumstances, but may manifest itself under certain circumstances, for example when user creation happens in a chrooted environment where neither openssl nor md5sum is made available to the script.
Nevertheless, plaintext password storage is usually not considered appropriate, especially for security applications. The lack of user feedback when MD5 algorithms are not available is also unfortunate, since the server administrator will most likely assume that the password is stored in an encrypted form.
This change request proposes removing the plaintext password storage mechanism as described under "Design and Implementation" by first removing the capability from openvas-adduser and then phasing out the support in openvas-server.
Once the plaintext password storage capability has been removed from openvas-adduser, it will no longer be possible to create users with password authentication if no MD5 algorithm is available. The script will fail if this is attempted.
In order to stay compatible with installations where a plaintext password storage may have occurred, openvas-server will (for a time) continue to support this authentication mechanism, but will complain (loudly) whenever it encounters a plaintext password file.
After a certain time, support for plaintext password storage will be removed from openvas-server. A script will be made available to convert existing users to an encrypted password storage.
Design and Implementation
openvas-adduser.in: (Line 103) The behaviour for cases where no MD5 algorithm can be found will be changed so that openvas-adduser exits under these circumstances. (Line 305) The command for writing plaintext password files will be removed.
openvasd/users.c (check_user): As a first step, openvasd will write a log message whenever it encounters a plaintext password file. Ultimately, openvasd will refuse logins by users without either a certificate or a password stored in a secure fashion.
- 2009-06-30 Michael Wiegand <firstname.lastname@example.org>:
- 2010-01-06 Felix Wolfsteller <email@example.com>:
Updated status as done.
- 2009-05-11 Michael Wiegand <firstname.lastname@example.org>:
- 2009-05-04 Michael Wiegand <email@example.com>:
Updated status with voting results.
- 2009-04-29 Michael Wiegand <firstname.lastname@example.org>: