Don’t display private key on admin screen

When I want to save my backups to another server with SSH, I have to put my private key into a field on the wordpress Admin. It is is visible to any admin on the site. Please do not display the private key this way! Also, is the key is apparently saved in clear text on the database? I hope not.

twitterlinkedinFacebook

6 Comments

  1. udadmin

    Hi,

    If Peter, if the key is not saved in the database, where will it be saved? From experience of this question, I’ve found that some users don’t understand how encryption works. They believe that credentials can be saved “encrypted” in the database. Well, they can…. but then, of course, you need to somewhere save the decryption key. If you save that in the database, then the situation is exactly the same.

    Admins, of course, have full read access to the WordPress database. If you have untrusted admins, then they can do anything they like to your site, using various mechanisms. (e.g. Install a new malicious plugin that they or their agent created). The only real solution to the problem of “I have untrusted admins” is to get rid of them. However, for users who for any reason cannot, or will not, do that, we also provide a mechanism to lock access to UpdraftPlus settings: https://updraftplus.com/shop/lockadmin/

    David

  2. peter.mumford

    David, when I enter my password on the wordpress admin, after saving, I don’t see that password again, ever. I can’t see it in the database either, although I can see the password hash.

    As admin, I have control over other users’ accounts. I can see everything—except their password. I can reset their password, but I can’t see it in plain text. I think a PRIVATE SSH KEY should have at least the same security protection as a password.

    You probably trust your co-workers. But are you happy to share your private key with them? It seems fundamental to security that private keys, like passwords, should never be shared.

    • udadmin

      Hi Peter,

      WordPress can one-way hash login passwords because it can also one-way hash the password you type in on the login form, and compare the two hashes.

      But, one-way hashing a private key will not allow you to log in to the SSH server, because that’s not how RSA symmetric key cryptography works. (Hashing and encryption are two fundamentally different things). You need the pristine private key in order to answer the server’s challenges. A server won’t accept just a hash.

      David

Submit a Comment