What method is used to protect and encrypt passwords in Splunk. For example the "Users" passwords (when Local type of accounts are used).
Is there a way for a root user of the Splunk server to reverse the passwords to plain text?
There is no way for the root user to reverse the passwords. However, someone with access to $SPLUNK_HOME/etc/passwd
could edit the file with a text editor, removing users altogether. If all users are removed (usually by renaming the passwd
file) then the default Splunk login becomes whatever was specified in user-seed.conf
. This is usually user: admin and password: changeme.
I believe that the actual encryption is based on the Unix crypt(3) routine, which is a one-way hash function based upon a modified DES algorithm. But I could be wrong...
There is no way for the root user to reverse the passwords. However, someone with access to $SPLUNK_HOME/etc/passwd
could edit the file with a text editor, removing users altogether. If all users are removed (usually by renaming the passwd
file) then the default Splunk login becomes whatever was specified in user-seed.conf
. This is usually user: admin and password: changeme.
I believe that the actual encryption is based on the Unix crypt(3) routine, which is a one-way hash function based upon a modified DES algorithm. But I could be wrong...
You can see the information on the algorithms used in etc/passwd in etc/system/README/authentication.conf.spec and etc/system/default/authentication.conf
At the time of this answer, (5.0.x), Splunk was using MD5 with a large number of rounds. Currently we are using SHA512.
Is Splunk still using the same encryption today or has it changed in spunk 7.x?