Forum / Remote Desktop Manager - Feature Request

Password encryption feature request

  • Create an Issue
  • Cancel

I know I asked about this in the SDK forum in the past. I have thought about it some more since then, and I think I have the details fleshed out enough to make this a useful, secure feature that could be implemented.

Currently, passwords stored in the RDM database are encrypted with a key and algorithm that isn't published to end-users for security's sake. I would like to get RDM fully integrated into our other systems, and the write-only functionality just doesn't quite provide what I need since I can't verify that the password hasn't been changed.

What I would like to see in RDM is a new setting that would allow the administrator to choose how passwords are encrypted. Options that would be useful for this setting are below.

  • Default (This would be the default, and would use the key and algorithm currently in use today)
  • None (This would store the password as Base64-encoded plain-text. This setting would include a warning about the insecurity of this option, or possibly just not implemented.)
  • Custom (This setting would allow you to specify a pre-shared key along with an encryption algorithm to use in storing the passwords. The PSK would then be encrypted using your standard encryption key/algorithm for storage in the database. This setup would avoid plain-text passwords altogether, plus allow authorized users that have been provided the PSK to decrypt the password)

Clock8 yrs

Hi,
I see your point, it's interesting, I already wanted to extend the encryption for the content, but I never thought of doing that for the password specifically.

Thank you

David Hervieux

signaturesignature

Clock8 yrs

David, are there any updates on if/when this feature will be implemented? This feature would help me out with my DR planning, as I would be able to keep a (readable) backup of the connections that could run on entirely separate systems. Which would allow my users to continue supporting our customers, even if the SQL server was destroyed, albeit, in a much more manual way.

Clock8 yrs

Hi,
I know that might not believe me, but it our short term todo list. We have many request for that and I know how to do it in a simple way.

David Hervieux

signaturesignature

Clock8 yrs

David,

I was poking around in the latest pre-release version that you had me install to troubleshoot a bug report, and saw that this feature is now present. It took a little work, but I got decryption working under PHP. A few compatibility issues between .NET and PHP's implementations of 3DES around the key size. Nothing a little Google work couldn't fix.

It looks like this access should only be used as read-only, though. Am I correct on that?

Clock8 yrs

Hi,
Yes for security reason it's only in readonly but you can call rdm in command line to change a password for a session.

David Hervieux

signaturesignature

Clock8 yrs

Okay. Unfortunately, I can't call RDM from the command line, since our portal machine runs Linux, so it'll just be read-only for me.

I am glad the feature is there, though, since I can now have a last-resort backup of the passwords.
<em>edited by abwalters on 8/3/2011</em>

Clock8 yrs

Hey,

is it possible for you to share the PHP code you use? Or at least the portions where you decrypt the password obtained from the DB? We could use that as well.

In our case, we plan to use RDM for administering customer systems. However, I myself prefer to use command line where possible, so I'd really like an easy way to access the passwords in Linux - so a PHP or Perl/Python script that would grab the XML from DB and then decrypt it would fit the bill just great.

Thanks.

Clock7 yrs

@Zarhan,

I can share the code, just had to clean it up to remove references to our passwords. See below for the reference code. Keep in mind that you can't change the password with this code. This code also does not decrypt the connections, if you have your data source set up to encrypt those. It'll only decrypt the password in the unsafepassword field.

<?php

# Set $crypt to the encrypted password string.
# Set $key to the plaintext pre-shared key for decryption

$key = mb_convert_encoding( $key, 'ASCII' );

$crypt = base64_decode( $crypt );
$md5key = md5($key, true); # Generate a binary MD5 hash of the key
$ckey = $md5key . substr( $md5key, 0, 8 );
$iv = '00000000';
$res = mcrypt_module_open( MCRYPT_TRIPLEDES, '', MCRYPT_MODE_ECB, '' );
mcrypt_generic_init( $res, $ckey, $iv );
$output = mdecrypt_generic( $res, $crypt );
$output = mb_convert_encoding( $output, "UTF-8" );

# Output will be set to the now decrypted password.

?>

Clock7 yrs

Thanks a lot, really appreciate it.

Clock7 yrs

I was on vacation so I haven't been able to continue this until now - but where exactly is the option to save the passwords to the UnsafePassword field with 3DES encryption? Security provider only gives you options of "none, default, basic, shared passphrase", based on the first post I was looking for a place to specify encryption algorithm and key...where is it? I upgraded to the 6.9 beta but didn't find it either.

Thanks!

Clock7 yrs

Hi,
It's not in the Security Provider, it's on the database settings. File->Administration->Data Source Settings... It's a different field in the database and it's empty if the option is not set.

David Hervieux

signaturesignature

Clock7 yrs

Found it. Thanks a lot!

Clock7 yrs