RouterOS Devs:
The default user creation doesn't require a password, and defaults to blank, which means if someone simply does a:
/user add name=fred group=full
Then you can immediately login as fred with no password. This creates a significant security issue that isn't immediately obvious. Furthermore, there is no way to tell if a password is set without SSH'ing to the host to see if it lets you on. So auditing this is difficult to do.
I propose the following to fix this:
1. Make password a required attribute to the /user add command. Then if you forgot a password, it will prompt you, and then if leave it blank, at least it kind of warned you.
or
2. Like above, but force the user to choose a password, so that you can't have blank passwords other than the default admin password before it's changed.
or
3. /user aaa set use-blank-passwords=no and if that's set, then just don't allow blank passwords in the web interface or ssh.
Thanks,
schu
Re: Users default to no password, and no way to detect it!
Who is that "someone"? Isn't it administrator? What if he disables all interfaces? What if he sets dropping all rule in raw table? What if he shuts down the system?
Should the system be protected against the administrator?
Should the system be protected against the administrator?
Re: Users default to no password, and no way to detect it!
RouterOS cannot be completely foolproof.
Why is the problem for the administrator to specify password right away when creating a user?
/user add name=aa password=bb
Why is the problem for the administrator to specify password right away when creating a user?
/user add name=aa password=bb
-
-
JimmyNyholm
Member Candidate
- Posts: 248
- Joined:
- Location: Sweden
Re: Users default to no password, and no way to detect it!
There is no problem in the current implementation but there is also not possible to list all users with "full - admin" access and check if the password is set or not.
This makes problems in the Auditing land.
This makes problems in the Auditing land.
Re: Users default to no password, and no way to detect it!
I agree with the feature request.
To address mrz' point, correct routeros cannot be foolproof. However, the Mikrotik current logic does not match what you find on a Linux host
Linux host: I can create a user (without a password) and drop in .ssh/authorized_keys in his account so he can login. The user does not have a password, but can login with ssh key.
in Mikrotik: I create a user (without a password), but his password defaults to "". The ssh daemon should not let the user login with "" password.
To address mrz' point, correct routeros cannot be foolproof. However, the Mikrotik current logic does not match what you find on a Linux host
Linux host: I can create a user (without a password) and drop in .ssh/authorized_keys in his account so he can login. The user does not have a password, but can login with ssh key.
in Mikrotik: I create a user (without a password), but his password defaults to "". The ssh daemon should not let the user login with "" password.
Who is online
Users browsing this forum: No registered users and 166 guests