Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default Support asking for credentials?

    I recently contacted support. I got a fast response but they want me to create a admin-user for them to log on with. I find this practice really strange, especially since untangle has a setting for allowing secure access for support.

    Is this just a case that your internal tools haven't been updated and it's just easier for the support team to log on via admin credentials? For all i know it might have been a mitm phising attack.

    Also if this is normal practice I think you should add some sort of encrypted means of sending these credentials. I might sound paranoid, but you never know.

    edit:
    oh. I might add i contacted via e-mail and not phone, but perhaps most people contact via phone? But even then I don't feel comfortable. If a dishonest worker takes this knowledge home with him and decides to have fun. IF it just via your internal tools, atleast it's logged and audited.
    Last edited by arndawg; 09-29-2010 at 08:41 AM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Yes this is normal.

    Support wants to use the GUI interface. The mechanism you're referring to is only a test console.

    And the delivery mechanism for that admin user doesn't need to be secure. Just delete the user when they are done.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    What sky-knight said, secure access to the box is restricted inside Untangle. So when the front-line support need access they ask you to create a login for them so that they can see what your settings are.

    If this makes you uncomfortable, give them a call and they can set up a remote viewing session where you can type in the username and password.

    And yes, you're being paranoid
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  4. #4
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    Quote Originally Posted by mrunkel View Post

    And yes, you're being paranoid

    It's probably just the meth.

    No worries, i've sent them the information. However, I still think this is not optimal practice. If Microsoft, Cisco or whoever did this there would be headlines no doubt.

  5. #5
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,362

    Default

    What are the alternatives? Build in a back door which could be a potential vulnerability in the future?
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  6. #6
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Quote Originally Posted by proactivens View Post
    What are the alternatives? Build in a back door which could be a potential vulnerability in the future?
    Like the Secure Access option that's already built in?
    Or do you mean, say, an admin account already created but inactive unless the option is selected?

  7. #7
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    Quote Originally Posted by proactivens View Post
    What are the alternatives? Build in a back door which could be a potential vulnerability in the future?
    Why so hostile? How about this: on untangle servers supportl create a session token. I paste that in to a function in untangle and connect to the servers, ready for remote control.
    Last edited by arndawg; 09-29-2010 at 10:22 AM.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by arndawg View Post
    Why so hostile? How about this: on your servers you create a session token. I paste that in to a function in untangle and connect to the servers, ready for remote control.
    There is a function in config->system->support than will allow us complete remote access to the server. Realize that most paying customer turn this on and leave it on.
    As such, we have many security precautions with who can access the support system and how. For the support guys trying to help you, this process requires escalation and takes more time. They probably just need access to the GUI anyway so thats probably why they're asking for you to make them a login (so you can delete it when it pleases you).

    You are free to say no.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Master Untangler
    Join Date
    Oct 2008
    Posts
    141

    Default

    "this process requires escalation and takes more time." Well for me it sounds like it's a better solution to make it less of a hassle for the support guys getting access to this, rather than asking the customer for credentials. At least then there access is in a controlled manner.

    I e.x MITM-attack (for e-mail) and dishonest worker being able to use it without your company properly logging it.

    Anyways i've created a user for support and sent them the credentials. I made this thread mainly because this have never happened to me before when contacting support for other products, so I just wanted to make sure i wasn't doing something stupid. You are free to don't give a shit about my suggestion, but now it's out there and I think it's a valid point.

  10. #10
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,372

    Default

    From my perspective its a "combo"
    If you trust in the product, must trust in their staff, like a bank, healt care, or education institute.
    The world is divided into 10 kinds of people, who know binary and those not

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2