je82 Posted February 14 Posted February 14 (edited) Hi, I am concerned about the security, since we cannot encrypt the usb how safe is the passwords we store for users we've created in the unraid gui? I check cat /boot/config/passwd and it seems to contain cleartext usernames which is fine i guess, but the passwords must be stored somewhere too, are these safe or can they be decrypted by a potential attacker that gains access to the usb drive? Edited February 14 by je82 Quote
je82 Posted February 14 Author Posted February 14 I think what im asking here how safe are the passwords stored in smbpasswd file, can they be decrypted? Quote
Squid Posted February 14 Posted February 14 Quote smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user 1 Quote
itimpi Posted February 14 Posted February 14 They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form. It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot. If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens. Quote
Mr.Will Posted March 23 Posted March 23 (edited) On 2/14/2024 at 10:05 AM, itimpi said: They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form. It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot. If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens. Consider this scenario: - unraid has encrypted disks that require password at boot. I turn on Unraid, unlock the drives and leave the house to work/holidays. - Array is started but unraid requires a password for web UI, console and shares, like any normal safe NAS - a thief breaks in He can't access the shares since they all require a password. He can't access the console since the monitor asks for a password. If he unplugs the USB with unraid running, resets the root password in the USB file and then puts the usb back in while unraid is still running: will unraid check the user input password against the old password stored in memory or will it check it against the one in the USB file? Consider the thief doesn't reboot. If it uses the password in memory we are safe, but if it uses the password in the USB then they can easily access the webUI and check all information even in encrypted disks since the array was running Thanks Edited March 23 by Mr.Will Quote
Kilrah Posted March 23 Posted March 23 25 minutes ago, Mr.Will said: If he unplugs the USB with unraid running, resets the root password in the USB Typically unraid will crash in short order if the USB is removed. Quote
Mr.Will Posted March 23 Posted March 23 6 hours ago, Kilrah said: Typically unraid will crash in short order if the USB is removed. Ah, I didn't know that, but it's a good "feature". Do you know roughly how long it takes to crash? And nevertheless do you know if the old password is always used (stored in memory) until you reboot with the USB's password changed? Thanks! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.