Remove in the clear passwords

Issue #320 new
Paul Rinaldi created an issue

Monit and M/Monit both put a lot of faith in filesystem permissions to protect passwords. Three different passwords can be found in the clear:

  1. admin password for monit agent HTTP interface in monitrc file
  2. M/Monit password in monitrc file
  3. M/Monit stores monit agent passwords in the clear within the "host" table

I understand that these files should only be able to be read by root user, but we still consider it a security violation to have any passwords in the clear, regardless of the file permissions.

Comments (3)

  1. Tildeslash repo owner

    We plan to add support for client SSL certificates based authentication to M/Monit (monit supports it already, but it cannot be used with M/Monit).

  2. Neo Mofoka

    If I'm not mistaken, Monit already allows PAM and htpasswd file authentication which would not have the password in the clear according to the docs. Is this incorrect?

    I'm not sure about M/Monit though.

  3. Tildeslash repo owner

    @jeteon yes, PAM authentication is supported for the monit HTTP interface.

    However, as the monit CLI works as HTTP client and connects to monit daemon via the HTTP interface, it needs to read the credentials from monit configuration file (it doesn't support interactive dialog for credentials), so it can authenticate (that's why monit enforces strict permissions on the configuration file).

    If only PAM is left, the HTTP interface will work, M/Monit will be able to connect to Monit (although it will be necessary to setup the credentials on M/Monit side manually), but the CLI won't work.

  4. Log in to comment