Package: bacula-common
Version: 2.2.8-8
Severity: important
Hi,
the default config files for all bacula services contain passwords.
These passwords are apparently generated at *build* time, so everybody
installing a bacula on say lenny/i386 gets the same password for their
directors, the same passwords for their file daemons etc.
| #
| # List Directors who are permitted to contact this File daemon
| #
| Director {
| Name = @[EMAIL PROTECTED]
| Password = "/g2zh1831zpxxD6ZkdOz1kZ7zaGKRqpqli9WCPVDbH+X"
| }
|
| #
| # Restricted Director, used by tray-monitor to get the
| # status of the file daemon
| #
| Director {
| Name = @[EMAIL PROTECTED]
| Password = "6NyY2A22CnMkuujvuf42WhHSQvJ4CBMPtzGTuv1BnvPM"
| Monitor = yes
| }
When I first setup my bacula infrastructure I really did not realize
that I had to change these passwords since they look random, and I had
therefore assumed that they were generated on my system, for this setup.
Only when I started adding another client of the same arch did I find
how flawed this assumption was.
If you ship default passwords rather than generating them on the host
the least you could do is to make them "CHANGE-ME-xyz" or something that
will make it obvious to the admin that they are not secure.
Sincerely,
weasel
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
