Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security of the user/passwords stored on USB?

Featured Replies

Hi,

I am concerned about the security, since we cannot encrypt the usb how safe is the passwords we store for users we've created in the unraid gui?

 

I check

cat /boot/config/passwd and it seems to contain cleartext usernames which is fine i guess, but the passwords must be stored somewhere too, are these safe or can they be decrypted by a potential attacker that gains access to the usb drive?

Edited by je82

  • Author

I think what im asking here how safe are the passwords stored in smbpasswd file, can they be decrypted?

Quote

smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user

 

They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form.   It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot.   If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens.

  • 1 month later...
On 2/14/2024 at 10:05 AM, itimpi said:

They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form.   It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot.   If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens.

 

Consider this scenario:

- unraid has encrypted disks that require password at boot. I turn on Unraid, unlock the drives and leave the house to work/holidays.

- Array is started but unraid requires a password for web UI, console and shares, like any normal safe NAS

- a thief breaks in

 

He can't access the shares since they all require a password.

He can't access the console since the monitor asks for a password.

If he unplugs the USB with unraid running, resets the root password in the USB file and then puts the usb back in while unraid is still running:

will unraid check the user input password against the old password stored in memory or will it check it against the one in the USB file? Consider the thief doesn't reboot.

If it uses the password in memory we are safe, but if it uses the password in the USB then they can easily access the webUI and check all information even in encrypted disks since the array was running

 

Thanks

Edited by Mr.Will

25 minutes ago, Mr.Will said:

If he unplugs the USB with unraid running, resets the root password in the USB

Typically unraid will crash in short order if the USB is removed.

6 hours ago, Kilrah said:

Typically unraid will crash in short order if the USB is removed.

Ah, I didn't know that, but it's a good "feature". Do you know roughly how long it takes to crash?

 

And nevertheless do you know if the old password is always used (stored in memory) until you reboot with the USB's password changed?

Thanks!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.