[Grok-dev] Setting the admin password

Uli Fouquet uli at gnufix.de
Fri Jan 9 08:18:25 EST 2009


Hi there,

there is still an open issue in the bugtracker concerning the encryption
and setting of admin passwords for grokprojects (see
https://bugs.launchpad.net/grok/+bug/160196).

The security problem here is that passwords are stored as plain text in
buildout.cfg/site.zcml. It would be a minor change to store the password
SHA1-encrypted. This would be step one.

But, as Martijn already stated, we might also need a solution then that
allows admins to set/change the password afterwards, maybe similar to
the Zope2 ``zpasswd`` utility, because the encryption works one-way only
and it needs (hopefully) brute forces to recover the plain text password
from the encrypted form.

For now I think a separate commandline tool (possibly called ``zpasswd``
as well) would help, that could be used like so::

  MyGrokproject $ ./bin/zpasswd mgr
  Setting password for mgr
  Enter new password: 
  Retype new password:
  Password set. Restart your instance to make it active.

This functionality might also be provided as an external recipe.

I would like to collect your ideas and suggestions in that matter, so,
what do you think?

Best regards,

-- 
Uli

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20090109/78c47bc9/attachment.bin 


More information about the Grok-dev mailing list