I’m trying to setup a login for my RB, that could just view my firewall config, and no see sensitive info like passwords.
So, I made a new group, ticked only what it needed I thought, “read, winbox”, and created a user and added it to this group.
I login with it, and sure enough the “Hide Passwords” is ticked, and I can’t untick it… but I then open one of my PPPoE Clients, and find I can copy and paste the ****** input into notepad to see the password!
If a group’s security is set to allow read, then of course, they can read passwords of ppoe accounts. (All users, even admin cannot read user passwords of course).
You cannot change the ‘show passwords’ tick box because that requires the user to have rights to change settings, which that security group does not have, being read only.
Therefore giving a user read access to your RB will allow them to see everything. That does not help you, but it is ‘normal’ and expected behaviour.
If you want to stop a user from seeing ppoe or ppp client passwords, host that functionality elsewhere, e.g in usermanager and/or use radius.
nest, then what is the point of the “sensitive” option for user group that enables the user to untick “Hide Passwords” without write access?
Most kit distinquishes between read access and read + password, of course usually you’re not able to read a password, only set a new one, copying an **** password field should not allow to paste it in notepad, shouldn’t be able to copy a password at all generally.
If you want to stop a user from seeing ppoe or ppp client passwords, host that functionality elsewhere, e.g in usermanager and/or use radius.
I’d class that as a GFi answer, “use something else instead”.
Sadly, that’s all it’s good for. I do think there should be an option in user groups that disables any viewing of any security related details. Perhaps encompassing all areas where there is sensitive data I don’t want a client to see, such as ppp/ppoe passwords, wireless security encryption profiles etc. Would be a good feature.
fewi, doesn’t stop them looking at the keyboard of what you type.
It seems to unhide or un-asterisk password fields, which granted I would have found useful at times in routers I’d not accessed for a while, but overall find the security of never being able to read a password field more valuable.
Under System, Users, Groups, for a group you can tick “sensitive”, this appears to allow you to be able to untick the “Hide Passwords” box and allow you to see them.
However.. this seems pertty pointless as the password field in pppoe is still “enabled” and allows selection of the asterisk password, copy and then paste into notepad to reveal it. I hate to insult the developers, but dare I say, it seems like a “bug”?
But file a bug report to support@mikrotik.com and change it into a feature enhancement request once it’s confirmed that it’s not a bug. And make a thread in the “RouterOS beta” forum asking for the implementation you’re looking for. It would be nice if administrative AAA were more flexible.
Removing the sensitive permissions from a user doesn’t work in Winbox because you can copy and paste the ********* hidden text into notepad and see the password that was ‘under’ the *********** with the greatest of ease !!
Sorry MT guys. But this was just too easy to bypass.
I agree the ‘Hide passwords’ option is greyed out and you can’t untick the option - but with the above ability to copy and paste, who needs to worry about that?
Yep, that’s looking better now. It’s still selectable/highlightable, and there’s still a right-click option with copy, but it no longer appears to update the clipboard, pasting simply pastes the previous content of the clipboard.
Could you test with SIW Eureka? I don’t have the ability to install 4.3 at the moment.
(http://www.gtopala.com/siw-tools/eureka.html )
Would be very interested to know it is has really been hidden/masked from copy/paste.
Thanks.
