username and password appear in journals

[shelleycat485]

Rpi3b, bookworm. Client works fine. This is only minor, but the username and password are in plain text in the config file. They also appear in the journalctl files and the systemctl status dyndns output. Perhaps these could be blanked, or the default logging not show all of this. These can both be seen by user pi, who is allowed sudo so it is not a big deal. For noip.com these are the username/password of the account; you can have 2FA on top of that but it seems a weakness.

[bulletmark]

You have posted a rather sensationalist title here where you really mean the username and password of the dyndns service you are using specify it in the URL and that URL obviously must be quoted in the config file and is currently logged. Note in discussion #2 which you raised at the same time as this issue, you said the URL you have configured is http://rusername:password@dynupdate.no-ip.com/nic/update?hostname=milo2atthestables.ddns.net&myip='

Do you realize that since you are using http (not https) then your user + password is actually being pasted verbatim (with the URL) on the internet?! How securely it is stored on your own personal PC is thus almost a complete non-issue compared to that!

How well it is viewable in the config file is up to yourself so long as you set appropriate read permission on that file. Obviously root/sudo can view it but they can do anything on Linux systems.

I could suppress the logging of the URL in the journal but I just think it is too pedantic worrying about this. The logging is very handy when debugging setup of these services.

[shelleycat485]

Hi,Didnt mean to be sensationalist, sorry it came across that way. Yes its the username and password of the dynamic dns service.  Thank you for spotting the https.  I have not tried that yet, i only got it working last night.I looked at the code and will probably put a logging switch on the service, set to off for the url by default.Fyi, I am exploring another effect. It seems to be polling every 10 minutes in my case. Not sure why, I see there is a no change test in the code.  I will check that further.  Again only seen last night over an hour or so.Best wishesRH

[bulletmark]

I edited your post above to remove all the junk left in it from your email.

You say "It seems to be polling every 10 minutes in my case". Please read the documentation where it very clearly states how this thing works and what the 10 mins is.

[shelleycat485]

I've got a version now which masks the username:password of the dynamic dns service provider by default but selected with a command switch, so the log file entries are masked. I'll try to put in a pull request if you are happy to accept/review a contribution. If you don't want to bother, fine.

(The 10 minute repeated update issue was my configuration foul up, I'd said I was only just trying it. For NoIp.com, a good response can be nochg as well. No fault found.)

[bulletmark]

No, I very likely would not accept such a PR because IMHO it is a silly solution and compromises your own debugging. Normal users are not allowed to view the system journal, only "admin" users configured with journal view privilege. So you are worried those other admin users on your system viewing your dyndns user+pw? Then change your systemd service to a user service (and ensure you enable linger for your user). That is absolutely trivial to do and then only you and root can see those logs.

[shelleycat485]

Ok

[edited to remove junk - bulletmark].