documentation for use of hashed passwords
Everything but the actual coding to support them.master
parent
774a5f86b2
commit
4152dca09e
|
@ -16,6 +16,7 @@ perl -MCPAN -e 'install Bundle::IkiWiki::Extras'
|
||||||
|
|
||||||
=head1 CONTENTS
|
=head1 CONTENTS
|
||||||
|
|
||||||
|
Authen::Passphrase
|
||||||
RPC::XML
|
RPC::XML
|
||||||
File::MimeInfo
|
File::MimeInfo
|
||||||
Locale::gettext
|
Locale::gettext
|
||||||
|
|
|
@ -1,3 +1,13 @@
|
||||||
|
ikiwiki (2.48) unstable; urgency=low
|
||||||
|
|
||||||
|
If you allowed password based logins to your wiki, those passwords were
|
||||||
|
stored in cleartext in the userdb. To guard against exposing users'
|
||||||
|
passwords, I recommend you install the Authen::Passphrase perl module, and
|
||||||
|
then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
|
||||||
|
existing cleartext passwords with strong (blowfish) hashes.
|
||||||
|
|
||||||
|
-- Joey Hess <joeyh@debian.org> Thu, 29 May 2008 14:39:34 -0400
|
||||||
|
|
||||||
ikiwiki (2.46) unstable; urgency=low
|
ikiwiki (2.46) unstable; urgency=low
|
||||||
|
|
||||||
There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
|
There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
|
||||||
|
|
|
@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low
|
||||||
explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
|
explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
|
||||||
5.8 needs this to avoid crashing on malformed utf-8, despite its docs
|
5.8 needs this to avoid crashing on malformed utf-8, despite its docs
|
||||||
saying it is the default.
|
saying it is the default.
|
||||||
|
* passwordauth: If Authen::Passphrase is installed, use it to store
|
||||||
|
password hashes, crypted with Eksblowfish.
|
||||||
|
* Existing cleartext passwords in the userdb will be automatically hashed
|
||||||
|
(if Authen::Passphrase is installed) the next time a user logs in.
|
||||||
|
Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force
|
||||||
|
a conversion.
|
||||||
|
* Passwords will no longer be mailed, but instead a password reset link
|
||||||
|
mailed.
|
||||||
|
* The password_cost config setting is provided as a "more security" knob.
|
||||||
|
|
||||||
-- Joey Hess <joeyh@debian.org> Wed, 28 May 2008 03:07:37 -0400
|
-- Joey Hess <joeyh@debian.org> Wed, 28 May 2008 03:07:37 -0400
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki
|
||||||
Package: ikiwiki
|
Package: ikiwiki
|
||||||
Architecture: all
|
Architecture: all
|
||||||
Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
|
Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
|
||||||
Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl
|
Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl
|
||||||
Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
|
Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
|
||||||
Conflicts: ikiwiki-plugin-table
|
Conflicts: ikiwiki-plugin-table
|
||||||
Replaces: ikiwiki-plugin-table
|
Replaces: ikiwiki-plugin-table
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# NAME
|
# NAME
|
||||||
|
|
||||||
ikiwiki-transition - transition ikiwiki pages to new syntaxes
|
ikiwiki-transition - transition ikiwiki pages to new syntaxes, etc
|
||||||
|
|
||||||
# SYNOPSIS
|
# SYNOPSIS
|
||||||
|
|
||||||
|
@ -8,12 +8,15 @@ ikiwiki-transition type ...
|
||||||
|
|
||||||
# DESCRIPTION
|
# DESCRIPTION
|
||||||
|
|
||||||
`ikiwiki-transition` aids in converting ikiwiki pages when
|
`ikiwiki-transition` aids in converting wiki pages when
|
||||||
there's a major change in ikiwiki syntax.
|
there's a major change in ikiwiki syntax. It also handles other transitions
|
||||||
|
not involving wiki pages.
|
||||||
|
|
||||||
Currently only one such transition is handled, the `prefix_directives` mode
|
# prefix_directives
|
||||||
converts the specified ikiwiki page from the old preprocessor directive
|
|
||||||
syntax, requiring a space, to the new syntax, prefixed by '!'.
|
The `prefix_directives` mode converts the specified ikiwiki page from
|
||||||
|
the old preprocessor directive syntax, requiring a space, to the new
|
||||||
|
syntax, prefixed by '!'.
|
||||||
|
|
||||||
Preprocessor directives which already use the new syntax will remain
|
Preprocessor directives which already use the new syntax will remain
|
||||||
unchanged.
|
unchanged.
|
||||||
|
@ -22,14 +25,27 @@ Note that if the page contains wiki links with spaces, which some
|
||||||
older versions of ikiwiki accepted, the prefix_directives transition will
|
older versions of ikiwiki accepted, the prefix_directives transition will
|
||||||
treat these as preprocessor directives and convert them.
|
treat these as preprocessor directives and convert them.
|
||||||
|
|
||||||
One other transition is handled, the `indexdb` mode handles converting
|
# indexdb
|
||||||
a plain text `.ikiwiki/index` file to a binary `.ikiwiki/indexdb`. In this
|
|
||||||
mode, you should specify the srcdir of the wiki as the second parameter.
|
The `indexdb` mode handles converting a plain text `.ikiwiki/index` file to
|
||||||
You do not normally need to run `ikiwiki-transition indexdb`; ikiwiki will
|
a binary `.ikiwiki/indexdb`. In this mode, you should specify the srcdir of
|
||||||
automatically run it as necessary.
|
the wiki as the second parameter. You do not normally need to run
|
||||||
|
`ikiwiki-transition indexdb`; ikiwiki will automatically run it as
|
||||||
|
necessary.
|
||||||
|
|
||||||
|
# hashpassword
|
||||||
|
|
||||||
|
The `hashpassword` mode forces any plaintext passwords stored in the
|
||||||
|
`.ikiwiki/userdb` file to be replaced with password hashes. (The
|
||||||
|
Authen::Passphrase perl module is needed to do this.) In this mode, you
|
||||||
|
should specify the srcdir of the wiki as the second parameter.
|
||||||
|
|
||||||
|
If this is not done explicitly, a user's plaintext password will be
|
||||||
|
automatically converted to a hash when a user logs in for the first time
|
||||||
|
after upgrade to ikiwiki 2.48.
|
||||||
|
|
||||||
# AUTHOR
|
# AUTHOR
|
||||||
|
|
||||||
Josh Triplett <josh@freedesktop.org>
|
Josh Triplett <josh@freedesktop.org>, Joey Hess <joey@ikiwiki.info>
|
||||||
|
|
||||||
Warning: this page is automatically made into ikiwiki-transition's man page, edit with care
|
Warning: this page is automatically made into ikiwiki-transition's man page, edit with care
|
||||||
|
|
|
@ -123,6 +123,8 @@ use IkiWiki::Setup::Standard {
|
||||||
#usedirs => 0,
|
#usedirs => 0,
|
||||||
# Simple spam prevention: require an account-creation password.
|
# Simple spam prevention: require an account-creation password.
|
||||||
#account_creation_password => "example",
|
#account_creation_password => "example",
|
||||||
|
# Cost of generating a password using Authen::Passphrase::BlowfishCrypt
|
||||||
|
#password_cost => 8,
|
||||||
# Uncomment to force ikiwiki to run with a particular umask.
|
# Uncomment to force ikiwiki to run with a particular umask.
|
||||||
#umask => 022,
|
#umask => 022,
|
||||||
# Default settings for the recentchanges page.
|
# Default settings for the recentchanges page.
|
||||||
|
|
|
@ -30,7 +30,7 @@ perl modules using this command:
|
||||||
|
|
||||||
yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \
|
yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \
|
||||||
perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \
|
perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \
|
||||||
perl-CGI-Session perl-File-MimeInfo perl-gettext
|
perl-CGI-Session perl-File-MimeInfo perl-gettext perl-Authen-Passphrase
|
||||||
|
|
||||||
## Installing by hand
|
## Installing by hand
|
||||||
|
|
||||||
|
|
|
@ -2,16 +2,32 @@
|
||||||
[[tag type/auth]]
|
[[tag type/auth]]
|
||||||
|
|
||||||
This plugin lets ikiwiki prompt for a user name and password when logging
|
This plugin lets ikiwiki prompt for a user name and password when logging
|
||||||
into the wiki. It also handles registering users, mailing passwords, and
|
into the wiki. It also handles registering users, resetting passwords, and
|
||||||
changing passwords in the prefs page.
|
changing passwords in the prefs page.
|
||||||
|
|
||||||
It is enabled by default, but can be turned off if you want to only use
|
It is enabled by default, but can be turned off if you want to only use
|
||||||
some other form of authentication, such as [[httpauth]] or [[openid]].
|
some other form of authentication, such as [[httpauth]] or [[openid]].
|
||||||
|
|
||||||
When the `account_creation_password` configuration option is enabled with
|
When the `account_creation_password` configuration option is enabled with
|
||||||
a pass-phrase, this plugin prompts for the password when creating an
|
a password, this plugin prompts for the password when creating an
|
||||||
account as a implistic anti-spam measure.
|
account as a simplistic anti-spam measure.
|
||||||
(Some wikis edited by a particular group use an account creation password
|
(Some wikis edited by a particular group use an account creation password
|
||||||
as an "ask an existing member to get an account" system.)
|
as an "ask an existing member to get an account" system.)
|
||||||
|
|
||||||
|
## password storage
|
||||||
|
|
||||||
|
Users' passwords are stored in the `.ikiwiki/userdb` file, which needs to
|
||||||
|
be kept safe to prevent exposure of passwords. If the
|
||||||
|
[[Authen::Passphrase]] perl module is installed, only hashes of the
|
||||||
|
passwords will be stored. This is strongly recommended.
|
||||||
|
|
||||||
|
The `password_cost` configuration option can be used to make the stored
|
||||||
|
password hashes be more difficult to brute force, at the expense of also
|
||||||
|
taking more time to check a password when a user logs into the wiki. The
|
||||||
|
default value is 8, max value is (currently) 31, and each step *doubles*
|
||||||
|
the time required.
|
||||||
|
|
||||||
|
So if you're worried about your password files leaking and being cracked,
|
||||||
|
you can increase the `password_cost` and make that harder. But a better
|
||||||
|
choice might be to not deal with user passwords at all, and instead use
|
||||||
|
[[openid]]!
|
||||||
|
|
|
@ -105,7 +105,7 @@ your web server will not run it.
|
||||||
|
|
||||||
## suid wrappers
|
## suid wrappers
|
||||||
|
|
||||||
ikiwiki --wrapper is intended to generate a wrapper program that
|
`ikiwiki --wrapper` is intended to generate a wrapper program that
|
||||||
runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
|
runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
|
||||||
for example to be used in a [[post-commit]] hook by people who cannot write
|
for example to be used in a [[post-commit]] hook by people who cannot write
|
||||||
to the html pages, etc.
|
to the html pages, etc.
|
||||||
|
@ -118,9 +118,13 @@ been no problem yet.
|
||||||
## shell exploits
|
## shell exploits
|
||||||
|
|
||||||
ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
|
ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
|
||||||
system() at all, and the only use of backticks is on data supplied by the
|
`system(3)` at all, and the only use of backticks is on data supplied by the
|
||||||
wiki admin and untainted filenames. And it runs with taint checks on of
|
wiki admin and untainted filenames.
|
||||||
course..
|
|
||||||
|
Ikiwiki was developed and used for a long time with perl's taint checking
|
||||||
|
turned on as a second layer of defense against shell and other exploits. Due
|
||||||
|
to a strange [bug](http://bugs.debian.org/411786) in perl, taint checking
|
||||||
|
is currently disabled for production builds of ikiwiki.
|
||||||
|
|
||||||
## cgi data security
|
## cgi data security
|
||||||
|
|
||||||
|
@ -141,11 +145,11 @@ file not be world readable.
|
||||||
|
|
||||||
## cgi password security
|
## cgi password security
|
||||||
|
|
||||||
Login to the wiki involves sending a password in cleartext over the net.
|
Login to the wiki using [[plugins/passwordauth]] involves sending a password
|
||||||
Cracking the password only allows editing the wiki as that user though.
|
in cleartext over the net. Cracking the password only allows editing the wiki
|
||||||
If you care, you can use https, I suppose. If you do use https either for
|
as that user though. If you care, you can use https, I suppose. If you do use
|
||||||
all of the wiki, or just the cgi access, then consider using the sslcookie
|
https either for all of the wiki, or just the cgi access, then consider using
|
||||||
option.
|
the sslcookie option. Using [[plugins/openid]] is a potentially better option.
|
||||||
|
|
||||||
## XSS holes in CGI output
|
## XSS holes in CGI output
|
||||||
|
|
||||||
|
@ -377,3 +381,19 @@ page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
|
||||||
These holes were discovered on 10 April 2008 and fixed the same day with
|
These holes were discovered on 10 April 2008 and fixed the same day with
|
||||||
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
|
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
|
||||||
version 1.33.5. I recommend upgrading to one of these versions.
|
version 1.33.5. I recommend upgrading to one of these versions.
|
||||||
|
|
||||||
|
## Cleartext passwords
|
||||||
|
|
||||||
|
Until version 2.48, ikiwiki stored passwords in cleartext in the `userdb`.
|
||||||
|
That risks exposing all users' passwords if the file is somehow exposed. To
|
||||||
|
pre-emtively guard against that, current versions of ikiwiki store password
|
||||||
|
hashes (using Eksblowfish).
|
||||||
|
|
||||||
|
If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to
|
||||||
|
ikiwiki 2.48, installing the [[Authen::Passphrase]] perl module, and running
|
||||||
|
`ikiwiki-transition hashpassword` to replace all existing cleartext passwords
|
||||||
|
with strong blowfish hashes.
|
||||||
|
|
||||||
|
You might also consider changing to [[plugins/openid]], which does not
|
||||||
|
require ikiwiki deal with passwords at all, and does not involve users sending
|
||||||
|
passwords in cleartext over the net to log in, either.
|
||||||
|
|
Loading…
Reference in New Issue