Jump to content

Security of the user/passwords stored on USB?


je82

Recommended Posts

Posted (edited)

Hi,

I am concerned about the security, since we cannot encrypt the usb how safe is the passwords we store for users we've created in the unraid gui?

 

I check

cat /boot/config/passwd and it seems to contain cleartext usernames which is fine i guess, but the passwords must be stored somewhere too, are these safe or can they be decrypted by a potential attacker that gains access to the usb drive?

Edited by je82
Posted

They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form.   It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot.   If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens.

  • 1 month later...
Posted (edited)
On 2/14/2024 at 10:05 AM, itimpi said:

They passwords are just as secure as they would be on a traditional Unix/Linux system as they are only ever stored in encrypted form.   It is just that Unraid makes a copy of the passwd and smbpasswd files onto the flash drive so that it can be restored after a reboot.   If they can be decrypted there the same files could be decrypted on any system and this does not seem to be something that happens.

 

Consider this scenario:

- unraid has encrypted disks that require password at boot. I turn on Unraid, unlock the drives and leave the house to work/holidays.

- Array is started but unraid requires a password for web UI, console and shares, like any normal safe NAS

- a thief breaks in

 

He can't access the shares since they all require a password.

He can't access the console since the monitor asks for a password.

If he unplugs the USB with unraid running, resets the root password in the USB file and then puts the usb back in while unraid is still running:

will unraid check the user input password against the old password stored in memory or will it check it against the one in the USB file? Consider the thief doesn't reboot.

If it uses the password in memory we are safe, but if it uses the password in the USB then they can easily access the webUI and check all information even in encrypted disks since the array was running

 

Thanks

Edited by Mr.Will
Posted
25 minutes ago, Mr.Will said:

If he unplugs the USB with unraid running, resets the root password in the USB

Typically unraid will crash in short order if the USB is removed.

Posted
6 hours ago, Kilrah said:

Typically unraid will crash in short order if the USB is removed.

Ah, I didn't know that, but it's a good "feature". Do you know roughly how long it takes to crash?

 

And nevertheless do you know if the old password is always used (stored in memory) until you reboot with the USB's password changed?

Thanks!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...