Remove in the clear passwords
Issue #320
new
Monit and M/Monit both put a lot of faith in filesystem permissions to protect passwords. Three different passwords can be found in the clear:
- admin password for monit agent HTTP interface in monitrc file
- M/Monit password in monitrc file
- M/Monit stores monit agent passwords in the clear within the "host" table
I understand that these files should only be able to be read by root user, but we still consider it a security violation to have any passwords in the clear, regardless of the file permissions.
Comments (3)
-
repo owner
-
If I'm not mistaken, Monit already allows PAM and htpasswd file authentication which would not have the password in the clear according to the docs. Is this incorrect?
I'm not sure about M/Monit though.
-
repo owner
@jeteon yes, PAM authentication is supported for the monit HTTP interface.
However, as the monit CLI works as HTTP client and connects to monit daemon via the HTTP interface, it needs to read the credentials from monit configuration file (it doesn't support interactive dialog for credentials), so it can authenticate (that's why monit enforces strict permissions on the configuration file).
If only PAM is left, the HTTP interface will work, M/Monit will be able to connect to Monit (although it will be necessary to setup the credentials on M/Monit side manually), but the CLI won't work.
- Log in to comment
We plan to add support for client SSL certificates based authentication to M/Monit (monit supports it already, but it cannot be used with M/Monit).