Package: bacula-common Version: 2.2.8-8 Severity: important Hi,
the default config files for all bacula services contain passwords. These passwords are apparently generated at *build* time, so everybody installing a bacula on say lenny/i386 gets the same password for their directors, the same passwords for their file daemons etc. | # | # List Directors who are permitted to contact this File daemon | # | Director { | Name = @[EMAIL PROTECTED] | Password = "/g2zh1831zpxxD6ZkdOz1kZ7zaGKRqpqli9WCPVDbH+X" | } | | # | # Restricted Director, used by tray-monitor to get the | # status of the file daemon | # | Director { | Name = @[EMAIL PROTECTED] | Password = "6NyY2A22CnMkuujvuf42WhHSQvJ4CBMPtzGTuv1BnvPM" | Monitor = yes | } When I first setup my bacula infrastructure I really did not realize that I had to change these passwords since they look random, and I had therefore assumed that they were generated on my system, for this setup. Only when I started adding another client of the same arch did I find how flawed this assumption was. If you ship default passwords rather than generating them on the host the least you could do is to make them "CHANGE-ME-xyz" or something that will make it obvious to the admin that they are not secure. Sincerely, weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]