Bug 994751
Summary: | Beaker account passwords are stored as unsalted hashes | ||
---|---|---|---|
Product: | [Retired] Beaker | Reporter: | Dan Callaghan <dcallagh> |
Component: | scheduler | Assignee: | Dan Callaghan <dcallagh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | tools-bugs <tools-bugs> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 0.13 | CC: | aigao, asaha, dcallagh, jingwang, llim, psklenar, qwan, rmancy |
Target Milestone: | 0.16 | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-17 03:01:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dan Callaghan
2013-08-08 00:15:33 UTC
I realised we can tackle this for new installations without solving the password migration problem by offering a config option that enables a fallback option that checks for an unsalted hash. So new installations would get salted hashes by default, while existing installations could enable the option to check for unsalted hash entries in the DB. (In reply to Nick Coghlan from comment #2) Better yet, passlib makes it easy to support the old hashes but automatically upgrade them to new ones after a user successfully authenticates. So for existing installations, no unsalted hashes should ever be left hanging around unless the user never logs in. If a site admin is concerned about that, they can easily find old passwords using a database query and NULL them out to disable the account or reset the password. On Gerrit: http://gerrit.beaker-project.org/2562 Beaker 0.16.0 has been released. I guess this is related issue: https://bugzilla.redhat.com/show_bug.cgi?id=1078790 Yes, there was an issue during the upgrade where the web service was inadvertently made available before the database update was complete and a couple of accounts attempted to log in and corrupted their password data. The affected accounts have had their passwords reset. |