[Grok-dev] Setting the admin password
Uli Fouquet
uli at gnufix.de
Fri Jan 9 08:18:25 EST 2009
Hi there,
there is still an open issue in the bugtracker concerning the encryption
and setting of admin passwords for grokprojects (see
https://bugs.launchpad.net/grok/+bug/160196).
The security problem here is that passwords are stored as plain text in
buildout.cfg/site.zcml. It would be a minor change to store the password
SHA1-encrypted. This would be step one.
But, as Martijn already stated, we might also need a solution then that
allows admins to set/change the password afterwards, maybe similar to
the Zope2 ``zpasswd`` utility, because the encryption works one-way only
and it needs (hopefully) brute forces to recover the plain text password
from the encrypted form.
For now I think a separate commandline tool (possibly called ``zpasswd``
as well) would help, that could be used like so::
MyGrokproject $ ./bin/zpasswd mgr
Setting password for mgr
Enter new password:
Retype new password:
Password set. Restart your instance to make it active.
This functionality might also be provided as an external recipe.
I would like to collect your ideas and suggestions in that matter, so,
what do you think?
Best regards,
--
Uli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20090109/78c47bc9/attachment.bin
More information about the Grok-dev
mailing list