Writing

Feed Software, technology, sysadmin war stories, and more.

Monday, October 24, 2011

Some passwords really are obvious

This is another tale from my days working tech support. One of the front-line techs sat behind me and off to the side. It was relatively quiet one night, so there were few calls going on. He had a caller on the line, and he was in a bit of trouble trying to help them out.

From what I could gather, this person's web site was down. Apparently this was one of our repeat offenders who would get behind on payments. We would restart the web server but anything else was out of the question. He was trying to bring it back up with the usual "service httpd restart" but was being confronted by a password question. It seemed the customer did not know what to put in.

I figured this was a worthy challenge and walked over to his desk. There, I was able to shoulder-surf the computer number off his monitor. Back at my desk, I pulled up the login details and jumped on. I got the same prompt from Apache. It was asking about the passphrase for a SSL key. It looked something like this:

Enter passphrase for www.doctorsomethingorother.tld:

I forget the exact domain name (and I wouldn't put it here anyway), but it did have "doctor" in it. It was part of the actual company name, for that matter. I figured, what the heck.

I typed "doctor". The site came up.

A quick message Jabbered over to my friend the front-line tech told him what was up and what to tell the customer. Somehow, he wound up sending the call over to me anyway, so I got to explain it directly. My half of the conversation sounded a little like this:

"Right, it was asking for a password."

"I guessed 'doctor' and it was right."

"Why don't we just remove this so your web server can just restart? If you don't need it, it will save you a lot of trouble in the future."

Our customer went for that last part about stripping the private key's passphrase and that was that. The weekly log rotation stopped killing her web site as a result.

I still don't know why our front-line tech didn't guess that one first.