Database passwords exposed in web interface

[steamraven]

When displaying the database login credentials for the modules, the current password is retrieved and inserted into the page. Normal credential configuration should provide a way to SET the password but not retrieve it through the web interface.

Pages affected:
Yubiadmin -> General (/admin/general)
KSM -> Database (/ksm/database)
Validation -> database (/val/database)

In addition the yubiauth password is stored in the database configuration string. which is visible on the database screen and the configuration file in advanced. The password should be broken out and protected.

[dainnilsson]

This is somewhat by design as the external applications keep the passwords in the config files, and a feature of YubiAdmin is being able to edit these files. YubiAdmin is an admin interface only intended for use by an administrator as a replacement for editing the configuration files by hand (which would similarly expose the passwords on the screen).

I do agree that it would be an improvement if the passwords were hidden from view, but with the amount of effort required for this (changing the external applications for the pages you listed and some that you didn't list) I do not see it being warranted. I'll leave the issue open for future consideration.

[jas4711]

I'm not certain what kind of passwords these are, but another option is to not use cleartext passwords at all, but instead use PBKDF2'd password and store the resulting hash (in hex) in these configuration files instead.

However, this approach doesn't work for some kind of passwords that needs to be presented to other software, and probably these passwords are of this kind.

Maybe there are other options to handle database authentication? Passwords are in general a problem, so if it is possible to recommend something else instead, that may be better. Any publickey authentication possible?