[Grok-dev] Setting the admin password
uli at gnufix.de
Fri Jan 9 08:18:25 EST 2009
there is still an open issue in the bugtracker concerning the encryption
and setting of admin passwords for grokprojects (see
The security problem here is that passwords are stored as plain text in
buildout.cfg/site.zcml. It would be a minor change to store the password
SHA1-encrypted. This would be step one.
But, as Martijn already stated, we might also need a solution then that
allows admins to set/change the password afterwards, maybe similar to
the Zope2 ``zpasswd`` utility, because the encryption works one-way only
and it needs (hopefully) brute forces to recover the plain text password
from the encrypted form.
For now I think a separate commandline tool (possibly called ``zpasswd``
as well) would help, that could be used like so::
MyGrokproject $ ./bin/zpasswd mgr
Setting password for mgr
Enter new password:
Retype new password:
Password set. Restart your instance to make it active.
This functionality might also be provided as an external recipe.
I would like to collect your ideas and suggestions in that matter, so,
what do you think?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20090109/78c47bc9/attachment.bin
More information about the Grok-dev