[HamWAN PSDR] Oops!

[Ryan Elliott Turner]

So, basically, some CLI commands used to take as parameters passwords. For
instance, "/tool fetch" and "/user add name=name password=pass". Thats
generally a bad idea since other users can view the logs, and the password
would be in clear text.


On Fri, Mar 14, 2014 at 7:13 PM, Nigel Vander Houwen <nigel at k7nvh.com>wrote:

> I'm not sure what you're meaning there, but it's only impacting a
> situation where someone else has command line access to your modem. It's
> stored in the equivalent of .bash_history, and there was no way to clear
> it, so someone else could look and see. Now there is a way to clear it.
>
> Nigel
> K7NVH
>
> On Mar 14, 2014, at 5:12 PM, Dean Gibson AE7Q <hamwan at ae7q.net> wrote:
>
> > Oh, OK;  it's on the way out (radio to other machine), not the way in
> (other machine to radio)?
> >
> > On 2014-03-14 17:09, Nigel Vander Houwen wrote:
> >> Older versions (5.x) of RouterOS had no way to clear the command line
> history, thus leaving your password in the logs for anyone with access to
> go and look at. 6.x has added a feature allowing you to clear the history,
> in theory resolving the issue.
> >>
> >> Nigel
> >> K7NVH
> >>
> >> On Mar 14, 2014, at 5:08 PM, Dean Gibson AE7Q <hamwan at ae7q.net> wrote:
> >>
> >>> The Wiki says, "NEVER type passwords using the command line interface
> (SSH/Terminal/Telnet). There is a known security breach here."
> >>>
> >>> What is the issue?
> >>>
> >
> >
> > _______________________________________________
> > PSDR mailing list
> > PSDR at hamwan.org
> > http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>
>
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org
>



-- 

Ryan Turner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20140314/ce1c4b5a/attachment.html>