I have noticed the auto population of the ssh account on multiple installs but never thought about the XML file. I’ll investigate tomorrow and report my findings.
Sent via C=64 Mobile > On Mar 14, 2018, at 8:49 PM, Anthony Holloway > <avholloway+cisco-v...@gmail.com> wrote: > > I'm working on something, and was wondering if you could check something for > me, so I can better understand why and how often this is happening. > > So, I was looking at phone config file today, and I noticed the ccmadmin > username and password was in the XML, and in plain text nonetheless. > > I found out that the browser, when told to remember your credentials, will > treat the SSH username/password fields as login fields whenever you modify a > phone, and you might be unknowingly save your credentials for clear text view > by unauthenticated users. > > Is anyone already aware of this? > > You could you run the following command on your clusters: > > run sql select name, sshuserid from device where sshuserid is not null and > sshuserid <> "" > > Then in the output, if there are any hits, look at the config XML file for > the phone and see if the passwords are there. > > E.g., > > output might be: > > SEP6899CD84B710 aholloway > > So then you would navigate your browser to: > > http://<tftpserver>:6970/SEP6899CD84B710.cnf.xml > > You then might have to view the HTML source of the page, because the browser > might mess up the output. > > You're then looking for the following two fields, your results will vary: > > <sshUserId>aholloway</sshUserId> > <sshPassword>MyP@ssw0rd</sshPassword> > > Then, since we now know it's happening, get list of how many different > usernames you have with this command: > > run sql select distinct sshuserid from device where sshuserid is not null and > sshuserid <> "" order by sshuserid > > This could also be happening with Energy Wise settings, albeit not on the > same web pages. > > I'm curious about two things: > > 1) Is it even happening outside of my limited testing scenarios? > 2) How many different usernames and passwords were there? > > If the answers are yes, and 1 or more, then this is an issue Cisco should > address. > > The reason it's happening is because the way in which browsers identify login > forms, is different from the way in which web developers understand it to > work. Cisco uses the element attribute on these fields "autocomplete = > false" and unfortunately, most browser ignore that directive. > > I have noticed that this does not happen, if you have more than 1 saved > password for the same site, rather it will only happen if you use the same > login for the entire site. Our highest chance of seeing this happen are for > operations teams where they login with their own accounts, and do not use DRS > or OS Admin. > _______________________________________________ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
