Default Blank Password for SSH Client


#1

According to the documentation there is a password of zoomus123 as the default password, but in production the default setting is applying a blank password “as the global setting”

Regardless of the insecurities surrounding a documented password or blank, I feel its best to have a password set globally as zoomus123.

Or if you want added security, you give each integrator utilizing and building applications on the SSH client a unique backdoor password to ask the SSH client to fetch a uniquely generated SSH password that each account gets.  The end users will see in plain text when logged in what their global zoom room password is.  An integrator gets a backdoor to see this password by passing their unique password to you to get this password.

This way bad actors cant just type blank or zoomus123 by default to control camera equipment by calling themselves and accepting the calls on both ends.  It secures things up dramatically by adopting this approach of giving a small backdoor password to the good actors (the integrators).  If the integrators dont choose to use this backdoor to get the account ssh password, then they merely instruct their customers to get their “global password” and configure it for their connection tools.


#2

Allowing a blank empty string is an issue. I entered a bug report into JIRA:

ZOOM-38278: ZAAPI: Disallow blank password

For the proposed change, the ZR-CSAPI will reject a blank password, even if that is what is set in the web portal.

Until then, I added a clarification to the overview guide:

https://zoom.github.io/zoom-rooms-csapi/index.html

It now says:

Currently, when you turn on the ZR-SCAPI functionality, the default password is blank (the empty string). Please immediately change the password to a non-empty string.

It is possible to use the location configuration feature on the Zoom Portal to place a number of Zoom Rooms in a Location, then change the settings for all Zoom Rooms in the same location at once. Online instructions for setting up locations is here: https://support.zoom.us/hc/en-us/articles/115000342983-Zoom-Rooms-Location-Hierarchy


#3

Cool Scott, thanks.  So is it your understanding that the customer workflow should be to go to each room and assign a unique password on a per room basis and then matchup the password to the integrator’s setup pages where you would enter a username/password for the SSH?  Or is there a tested way to group all locations of rooms and set the password once?  It seems kind of daunting on 500 rooms to set a password that many times from a webGUI, which was why I was wanting the default of zoomus123 to be propagated by default so that at least a default password is set and not open to all who havent searched the internet for default passwords


#4

Dave: Here’s the workflow we envision:

  • The customer IT admin puts all Zoom Rooms in a single Location, then set the SSH password for that location, which sets the SSH password on all of those Zoom Rooms simultaneously, with just one click.

  • Then, the customer IT admin provides the SSH password to the integrator, so the integrator can use the SSH password to setup the controller gear.