Clear text password stored in Duplicati-server.sqlite

sylerner · June 15, 2018, 7:45pm

While browsing Duplicati-server.sqlite, I noticed that in the Option table there is a passphrase row with a clear text password.

I was lazy setting up my test environment for duplicati, so I used the same password for logging in to duplicati, for backup encryption and for sftp login. (A horrible way to do things - don’t do this at home )

As a result, I don’t know which password I’m seeing in clear text. Anyone care to enlighten me?

Thanks!

kenkendk · June 15, 2018, 8:23pm

You see the sftp login password. Duplicati needs to know the real password (to authenticate with the server) so we cannot store a hashed version. The login password is hashed and salted, thus not stored in clear (we only need to verify it on login).

We have discussed various encryption tricks, but it really boils down to having the decryption key present on the same system as the encrypted data, which adds very little actual security.

My plan is to integrate with the OS keychain, and let that guard the passphrases.

sylerner · June 15, 2018, 8:26pm

That ideally should be done sooner rather than later.

Due to default Linux file permissions, this password - which is a user’s login password on the target system - is by default open to the world for snooping.

JonMikelV · June 18, 2018, 5:15am

Is this something that could be added as a GitHub issue with a bounty added or is it complicated enough that it needs to be handled “in house”?

For reference, the only open issues mentioning “keychain” at the moment seem to be related to the GUI password.

sylerner · June 18, 2018, 5:58am

How does one go about posting an issue with a bounty?

kenkendk · June 18, 2018, 7:48am

I don’t see any problems with handling this with a PR. The issue discussing the keychain integration is this:

github.com/duplicati/duplicati

Fix not revealing stored passwords from the UI [$100]

opened 04:36PM - 17 Oct 16 UTC

kenkendk

security bounty

Before we can release the v. 2.0 beta we should fix the current insecure practic…e with storing passwords in "almost plain" and also prevent revealing the password from the UI. There are a number of issues relating to this, and I am closing the imported ones: - ~~#558 - A master password~~ - ~~#703 - Read-only access~~ - ~~#1010 - Hide auth password~~ - #1251 - A global password - ~~#1942 - Prevent exporting passphrase in JSON~~ - ~~#1807 - Login password protects configuration~~ A shallow protection would be to simply mask out any "password" marked options, and deliver them as a placeholder string (e.g. `********`). Another, more thorough approach, would be to use the system keychain to store the password options. Perhaps we need both, as we may lack access to a keychain on some system, and maybe also for users with `--portable-mode` enabled. When storing with the keychain, we need to mark the passwords in the database to know where they are stored in the keychain. If we store the passwords in the database, we should add some kind of encryption to the passphrases. <bountysource-plugin> --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/38440904-fix-not-revealing-stored-passwords-from-the-ui?utm_campaign=plugin&utm_content=tracker%2F4870652&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F4870652&utm_medium=issues&utm_source=github). </bountysource-plugin>

After you create or locate an issue on Github, you can go here and register a bounty:
https://www.bountysource.com/teams/duplicati

Anyone can claim a bounty, simply send in a PR and once it is accepted, claim the prize on bountysource.

sylerner · June 19, 2018, 8:15pm

@kenkendk @JonMikelV

I commented on GitHub (Duplicati file permissions on Linux reveals sftp passwords to all · Issue #3278 · duplicati/duplicati · GitHub), but in case it’s not noticed:

Ideally this should be implemented on a universal keychain that is available for Linux (KDE and Gnome at a minimum), Mac and Windows.

If such doesn’t exist, how would you feel if (at least initially) use of a keychain was only implemented on Linux?

kenkendk · June 20, 2018, 8:26am

My thought was to use an OS-specific implementation. I don’t think it is possible to make a secure cross-os keychain, as it requires some kernel protection to get right.

We have OS-specific code for the snapshots and tray-icons already, so the keychain implementation would have multiple implementations to hook in to the keychain available on the system.

sylerner · June 22, 2018, 5:26pm

OK - I posted a $50 bounty to have all passwords on a KDE Linux system stored in a keyring (probably KDE Wallet, but not a requirement).

Hopefully someone will notice and give it a go.

Thanks!

JonMikelV · June 22, 2018, 5:34pm

Thanks for kicking that off!

I’ve updated the issue to include that it now has a bounty.

sylerner · June 22, 2018, 5:36pm

My comment (currently at the end) indicated that this was for moving all passwords to a keychain. Does the title need to be updated to indicate that too?

Thanks.

JonMikelV · June 22, 2018, 5:38pm

Since it’s @kenkendk’s issue I’ll let him decide how that should be (I don’t actually know much about the topic so wouldn’t want to “mis-speak” in the title).

drakar2007 · June 22, 2018, 6:57pm

In the mean time, wouldn’t at least doing fake encryption (i.e. duplicati-internal obfuscation) on the password be a better short-term solution than storing it in plaintext? This would at least guard it from accidental discovery etc, and would require specific and targeted knowledge to take advantage of.

saviodsouza · June 23, 2018, 9:25am

When I browse this file with sqlite browser it asks me for a password. Is there a default password

sylerner · June 26, 2018, 2:18am

Not on Linux. But I think I read - but I’m not sure - that there is a password on Windows.

JonMikelV · June 26, 2018, 4:19am

Yes, the Windows (only) database is RC4 “encrypted” but I’m not sure what the password is.

kenkendk · June 26, 2018, 6:44am

True. The RC4 scrambling feature is only available in the Windows version.

Yes, the default password is Duplicati_Key_42:

github.com

duplicati/duplicati/blob/master/Duplicati/Server/Program.cs#L517


      
              // Setup the log redirect

              Library.Logging.Log.StartScope(LogHandler, null);

          

              if (commandlineOptions.ContainsKey("log-file"))

              {

                  var loglevel = Library.Logging.LogMessageType.Error;

          

                  if (commandlineOptions.ContainsKey("log-level"))

                      Enum.TryParse(commandlineOptions["log-level"], true, out loglevel);

          

                  LogHandler.SetServerFile(commandlineOptions["log-file"], loglevel);

              }

          }

          

          private static int ShowHelp(bool writeConsole)

          {

              if (writeConsole)

              {

                  Console.WriteLine(Strings.Program.HelpDisplayDialog);

          

                  foreach (Library.Interface.ICommandLineArgument arg in SupportedCommands)

Yes, that was the idea with the RC4 encryption. It is not strong, and has a known password, but at least you cannot do string scanning on the harddisk to find the contents.

I am not aware of any plug-n-play solutions for Linux, so we would need to identify all the ways and places a password can be stored, and then handle each field with manual obfuscation/de-obfuscation.

Since the same work is required for the keychain integration, I think it would make sense to have a “fallback keychain”, that is an internal Duplicati keychain with a known password (similar to how the RC4 stuff works on Windows). We can implement this first, and then it should be easier to “plug-in” the real keychain implementations later.

John_Smith · January 22, 2019, 2:12am

So far this is the only drawback to Duplicati I’ve seen. To be fair I don’t know how other backup solutions deal with password storage. My workaround is to use the portable installation mode which moves the AppData folder inside the main program folder, then move that to a VeraCrypt volume. I use Smart Retention, a 3hr setting and an autorun.inf to run Duplicati when the volume opens. It should start missed backups as soon as it starts. Here’s a post with some links at SE: https://softwarerecs.stackexchange.com/a/55070/30586