[ZBXNEXT-2461] Password and passphrase should not be shown in frontend input boxes Created: 2013 Mar 19  Updated: 2021 May 21  Resolved: 2021 May 21

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: API (A), Frontend (F)
Affects Version/s: 2.4.0
Fix Version/s: None

Type: Change Request Priority: Trivial
Reporter: Kodai Terashima Assignee: Unassigned
Resolution: Fixed Votes: 25
Labels: security, unsquashable
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File CProxyPatch.txt    
Issue Links:
Causes
Duplicate
Sub-task
depends on ZBX-15093 PSK Key should not be available to ba... Closed

 Description   

type=text is used for following input boxes on frontend, but these are security related information. type=password is better for them.

  • password in ssh & telnet item
  • passphrase in ssh item
  • passphrase in SNMPv3 item

 Comments   
Comment by richlv [ 2013 Mar 19 ]

this has been discussed before. the problem is that we are not entering the password once for authentication, it is entered as part of the configuration. thus we would still want to review it later.

there could an option to "show/hide password" next to such fields (how about community in snmp v1&2c ?), but that's more like a feature development

zalex_ua I agree with Rich.
Also remember about user macros used often to store credentials. I have no idea how it could be nicely designed to store passwords.

Comment by Marc [ 2013 Mar 19 ]

This idea sounds reasonable to me.

Hiding such fields (incl. snmp community strings) with the option to show them would improve security a little bit without having to make disruptive changes.
However, in long term I think all sensitive data should be moved into a secure container like mentioned by ZBXNEXT-1660.

Comment by Oleksii Zagorskyi [ 2013 Jun 18 ]

ZBX-6721 is related.
Not sure how far we will go

Comment by richlv [ 2015 Sep 15 ]

ZBXNEXT-2957 asks to hide [some] macros/variables that way

Comment by sbindley [ 2018 Apr 04 ]

This seems to still be the case (Text box) in 3.4.7, why can't this be changed? I modified configuration.item.edit.php to use CPassBox vs. CTextBox and didn't see any problems creating the item. The password column in items is still clear text but at least the database is restricted more so than when you have multiple Zabbix Admins.

Comment by sbindley [ 2018 Oct 12 ]

Any reason this can't be fixed? Every time I upgrade I have to go edit all the files with a password field.

(new CTextBox('password'
to
(new CPassBox('password'

please?

Comment by Erhan ERTUL [ 2018 Oct 13 ]

I am an enterprise monitoring engineer and I shouldn't know all passwords I need in environment. I need to make the responsible team enter the needed pw once, then I should use it whenever I need without seeing the password. (for example choose pw from safe in snmpv3 item) And also maybe a cyberark integration needed ahead! The world is going through self changing passwords. Also, I use version 4.0 now and there's still shown passwords everywhere.

Comment by Nick Miethe [ 2018 Nov 19 ]

CProxyPatch.txt

Including a patch of the API code to hide PSK information from non Super Admins in get requests.

Comment by Andrey Denisov [ 2019 May 12 ]

DB monitors are also affected by this "feature".

We can't fully use DB monitor items without hiding passwords in web.

Just hiding password fields in web will help a lot: when you unsure about password you can retype it and that's all, BUT no user can see password by just clicking DB monitor item.

 

Comment by Smirnov Dmitriy [ 2019 Jul 09 ]

I would like to support this CR. When multiple teams use Zabbix for monitoring collective infrastrusture open passwords cause concern.

Comment by Alexei Vladishev [ 2021 May 21 ]

It has been already fixed in 5.2 by masking of user macros and ability to keep them in an external Vault

Generated at Wed Apr 24 01:00:18 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.