Nextcloudpi nc configuration

kattivius · October 29, 2019, 12:41pm

Nextcloud version 16.0.5.1:
Operating system and version: nextcloudpi
Apache or nginx version (cant find out)
PHP version:PHP 7.2.24

The issue you are facing:

Is this the first time you’ve seen this error? : N

Steps to replicate it: nextcloutpi address on port:4443

nextcloutpi address on port:4443
click on nextcloud configuration gear icon
look at the results

when ooking at the nextcloud configuration screen, down at the info related to the email, the password is in clear text.
That email and password are exposed!
Is it a normal behave or some configuration issue?
In my opinion, the password should not be in clear text for a security reason.
What do I do wrong and how can I make sure that password is not visible to anyone that administer the nextcloudpi?
kind regards,
Kattivius

JimmyKater · October 29, 2019, 12:53pm

hey @kattivius

passwords are stored on your machine in clear text (config.php). so it’s gonna be presented to YOU on YOUR screen in cleartext as well.

and if you would mark the following: if you’re surfing to your ncp-webgui it will always ask you for a user and password. so you better make sure that it’s only you how’s knowing about this webui-user and it’s password. and if it’s only you then it wouldn’t matter that the pw is shown in clear text (you already know it yourself)

kattivius · October 30, 2019, 10:52am

Thanks for your answer @JummyKarter,

would this not be an issue in the event of an system hacking? (unauthorized access)

Of course not problem if I am accessing it.

More worried in the event of an unluckily unauthorized access.

PS

Please dont get me wrong. If this is how it is, I will live with it.

If there is a solution to secure that part as well, I would.

Kattivius

JimmyKater · October 30, 2019, 12:29pm

i was wondering about finding passwords in cleartext on my instance as well… but i never found anyone complaining about it.

maybe there’s no other way possible.

and

if a hacker has got him/herself into your system s/he can do whatever they want. they won’t need no passwords, then as they are inside your system, though.

kattivius · October 31, 2019, 12:58pm

Ok, Understood.

about this is perfectly true… with the exeption that they would also gain access to my external mail address (not hosted in nextcloud) since also that user name and password is exposed.

Maybe I have to research for a different and secure way to send emails to users without using my ‘personal’ mail account from a different ISP.

Thanks for all the responses JimmyKarter
Kattivius