[Bug 9885] New: Passwords generated by command line scripts are weak
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Bug ID: 9885 Summary: Passwords generated by command line scripts are weak Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Command-line Utilities Assignee: gmcharlt@gmail.com Reporter: peterAtKohaBugzilla@pck.co.nz The command line scripts koha-reset-passwd and koha-create in debian/scripts generate fairly weak passwords. Staff passwords are generated as an eight-character "readable" pwgen password, as is the mysql password. The Zebra password is generated as a 12 character readable password. The eight character passwords are fairly vulnerable - see the discussion at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976 or the somewhat more dry discussion at http://ix.cs.uoregon.edu/~butler/pubs/password.pdf Do these passwords really need to be THAT friendly? I would suggest: - changing the zebra password and mysql passwords to 16 character "secure" passwords, ie generated with pwgen -s 16 1 - changing the patron password to a 12 character not-secure password. I'm happy to write the patch for these two files if there is consensus that it should be actioned. I have checked gitk and while I read the current debian koha-common version of the scripts (package 3.11-1~git+20130321124944.90dfa923), this does not appear to have changed in the master version. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Peter Kelly <peterAtKohaBugzilla@pck.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |peterAtKohaBugzilla@pck.co. | |nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de, | |robin@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 --- Comment #1 from Robin Sheat <robin@catalyst.net.nz> --- Yes to all of these. The zebra password is never used by a person, although it is not required to be too secure, there's also no reason not to. The mysql password is used by the admin to create the staff users (assuming a default SQL file is not provided), but in those cases it's probably looked up every time anyway. The default staff user password would be good as a 12-char non-secure, although it probably gets changed anyway. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Magnus Enger <magnus@enger.priv.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@enger.priv.no --- Comment #2 from Magnus Enger <magnus@enger.priv.no> --- I agree that the MySQL should be more secure. I *always* copy and paste it anyway, so the length does not really matter. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Peter Kelly <peterAtKohaBugzilla@pck.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Assignee|gmcharlt@gmail.com |peterAtKohaBugzilla@pck.co. | |nz --- Comment #3 from Peter Kelly <peterAtKohaBugzilla@pck.co.nz> --- Created attachment 16591 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=16591&action=edit Patch to address issues as proposed -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Peter Kelly <peterAtKohaBugzilla@pck.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch Change sponsored?|--- |Sponsored -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 --- Comment #4 from Robin Sheat <robin@catalyst.net.nz> --- Just a note that as Peter works at Catalyst, I can't sign off on this. However it's a very simple patch that could be passed easily. It also affects only the packages, so while I'd like a signoff (for completeness) I'd let it past QA. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Magnus Enger <magnus@enger.priv.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal --- Comment #5 from Magnus Enger <magnus@enger.priv.no> --- I'd call weak passwords a bug... (Which means the patch will be eligible for inclusion in 3.12 :-). -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Magnus Enger <magnus@enger.priv.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Magnus Enger <magnus@enger.priv.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #16591|0 |1 is obsolete| | --- Comment #6 from Magnus Enger <magnus@enger.priv.no> --- Created attachment 16604 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=16604&action=edit Bug 9885 [SIGNED-OFF] Passwords generated by command line scripts are weak This changes the scripts so that: - in koha-create, the zebra password and mysql passwords are set to 16 character "secure" passwords, ie generated with pwgen -s 16 1 - the patron password is set to a 12 character "memorable" password. Signed-off-by: Magnus Enger <magnus@enger.priv.no> Looks good. I did not actually build, install and test new packages, but i did test pwgen with the new arguments and the changes make sense. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #16604|0 |1 is obsolete| | --- Comment #7 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 17069 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17069&action=edit Bug 9885 Passwords generated by command line scripts are weak This changes the scripts so that: - in koha-create, the zebra password and mysql passwords are set to 16 character "secure" passwords, ie generated with pwgen -s 16 1 - the patron password is set to a 12 character "memorable" password. Signed-off-by: Magnus Enger <magnus@enger.priv.no> Looks good. I did not actually build, install and test new packages, but i did test pwgen with the new arguments and the changes make sense. Signed-off-by: Robin Sheat <robin@catalyst.net.nz> QA signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #8 from Robin Sheat <robin@catalyst.net.nz> --- Did a build and koha-create and noted that the new passwords are indeed better. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #9 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- This patch has been pushed to master. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable CC| |chris@bigballofwax.co.nz --- Comment #10 from Chris Cormack <chris@bigballofwax.co.nz> --- Pushed to 3.8.x and 3.10.x will be in 3.8.12 and 3.10.5 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9885 Magnus Enger <magnus@enger.priv.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Stable |RESOLVED Resolution|--- |FIXED --- Comment #11 from Magnus Enger <magnus@enger.priv.no> --- Works nicely on official squeeze-dev packages. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org