https://live.paloaltonetworks.com/t5/general-topics/yml-file-pa-device-password-in-clear-text/m-p/73656#M99533 <P>Hi Bertrand,</P> <P>the password can't be hashed because the authentication to PAN-OS API&nbsp;requires a plain text password (over an encrypted channel). An improvement could be encrypting passwords with a configurable secret key, but if you have the rights to access the VM and read the config files it wouldn't add a lot in terms of&nbsp;security.</P> <P>&nbsp;</P> <P>Best thing is creating a PAN-OS account with limited rights dedicated to the minemeld.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Fri, 26 Feb 2016 11:25:13 GMT lmori 2016-02-26T11:25:13Z https://live.paloaltonetworks.com/t5/general-topics/yml-file-pa-device-password-in-clear-text/m-p/73655#M99532 <P>Hi Luigi,</P> <P>&nbsp;</P> <P>.yml file for DagPush node in&nbsp;/opt/minemeld/local/config shows password of the device in clear text. It should be at least hashed.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Bertrand</P> Fri, 26 Feb 2016 11:18:06 GMT https://live.paloaltonetworks.com/t5/general-topics/yml-file-pa-device-password-in-clear-text/m-p/73655#M99532 Retired Member 2016-02-26T11:18:06Z https://live.paloaltonetworks.com/t5/general-topics/yml-file-pa-device-password-in-clear-text/m-p/73656#M99533 <P>Hi Bertrand,</P> <P>the password can't be hashed because the authentication to PAN-OS API&nbsp;requires a plain text password (over an encrypted channel). An improvement could be encrypting passwords with a configurable secret key, but if you have the rights to access the VM and read the config files it wouldn't add a lot in terms of&nbsp;security.</P> <P>&nbsp;</P> <P>Best thing is creating a PAN-OS account with limited rights dedicated to the minemeld.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Fri, 26 Feb 2016 11:25:13 GMT https://live.paloaltonetworks.com/t5/general-topics/yml-file-pa-device-password-in-clear-text/m-p/73656#M99533 lmori 2016-02-26T11:25:13Z