documentation for use of hashed passwords

Everything but the actual coding to support them.
master
Joey Hess 2008-05-29 15:17:19 -04:00
parent 774a5f86b2
commit 4152dca09e
9 changed files with 101 additions and 27 deletions

View File

@ -16,6 +16,7 @@ perl -MCPAN -e 'install Bundle::IkiWiki::Extras'
=head1 CONTENTS =head1 CONTENTS
Authen::Passphrase
RPC::XML RPC::XML
File::MimeInfo File::MimeInfo
Locale::gettext Locale::gettext

12
debian/NEWS vendored
View File

@ -1,3 +1,13 @@
ikiwiki (2.48) unstable; urgency=low
If you allowed password based logins to your wiki, those passwords were
stored in cleartext in the userdb. To guard against exposing users'
passwords, I recommend you install the Authen::Passphrase perl module, and
then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
existing cleartext passwords with strong (blowfish) hashes.
-- Joey Hess <joeyh@debian.org> Thu, 29 May 2008 14:39:34 -0400
ikiwiki (2.46) unstable; urgency=low ikiwiki (2.46) unstable; urgency=low
There were some significant template changes in ikiwiki 2.42 (and 1.33.5). There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
@ -89,7 +99,7 @@ ikiwiki (2.14) unstable; urgency=low
This version of ikiwiki is more picky about symlinks in the path leading This version of ikiwiki is more picky about symlinks in the path leading
to the srcdir, and will refuse to use a srcdir specified by such a path. to the srcdir, and will refuse to use a srcdir specified by such a path.
This was necessary to avoid some potential exploits, but could potentially This was necessary to avoid some potential exploits, but could potentially
break (semi-)working wikis. If your wiki has a srcdir path containing a break (semi-)working wikis. If your wiki has a srcdir path containing a
symlink, you should change it to use a path that does not. symlink, you should change it to use a path that does not.

9
debian/changelog vendored
View File

@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low
explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
5.8 needs this to avoid crashing on malformed utf-8, despite its docs 5.8 needs this to avoid crashing on malformed utf-8, despite its docs
saying it is the default. saying it is the default.
* passwordauth: If Authen::Passphrase is installed, use it to store
password hashes, crypted with Eksblowfish.
* Existing cleartext passwords in the userdb will be automatically hashed
(if Authen::Passphrase is installed) the next time a user logs in.
Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force
a conversion.
* Passwords will no longer be mailed, but instead a password reset link
mailed.
* The password_cost config setting is provided as a "more security" knob.
-- Joey Hess <joeyh@debian.org> Wed, 28 May 2008 03:07:37 -0400 -- Joey Hess <joeyh@debian.org> Wed, 28 May 2008 03:07:37 -0400

2
debian/control vendored
View File

@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki
Package: ikiwiki Package: ikiwiki
Architecture: all Architecture: all
Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl
Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
Conflicts: ikiwiki-plugin-table Conflicts: ikiwiki-plugin-table
Replaces: ikiwiki-plugin-table Replaces: ikiwiki-plugin-table

View File

@ -1,6 +1,6 @@
# NAME # NAME
ikiwiki-transition - transition ikiwiki pages to new syntaxes ikiwiki-transition - transition ikiwiki pages to new syntaxes, etc
# SYNOPSIS # SYNOPSIS
@ -8,12 +8,15 @@ ikiwiki-transition type ...
# DESCRIPTION # DESCRIPTION
`ikiwiki-transition` aids in converting ikiwiki pages when `ikiwiki-transition` aids in converting wiki pages when
there's a major change in ikiwiki syntax. there's a major change in ikiwiki syntax. It also handles other transitions
not involving wiki pages.
Currently only one such transition is handled, the `prefix_directives` mode # prefix_directives
converts the specified ikiwiki page from the old preprocessor directive
syntax, requiring a space, to the new syntax, prefixed by '!'. The `prefix_directives` mode converts the specified ikiwiki page from
the old preprocessor directive syntax, requiring a space, to the new
syntax, prefixed by '!'.
Preprocessor directives which already use the new syntax will remain Preprocessor directives which already use the new syntax will remain
unchanged. unchanged.
@ -22,14 +25,27 @@ Note that if the page contains wiki links with spaces, which some
older versions of ikiwiki accepted, the prefix_directives transition will older versions of ikiwiki accepted, the prefix_directives transition will
treat these as preprocessor directives and convert them. treat these as preprocessor directives and convert them.
One other transition is handled, the `indexdb` mode handles converting # indexdb
a plain text `.ikiwiki/index` file to a binary `.ikiwiki/indexdb`. In this
mode, you should specify the srcdir of the wiki as the second parameter. The `indexdb` mode handles converting a plain text `.ikiwiki/index` file to
You do not normally need to run `ikiwiki-transition indexdb`; ikiwiki will a binary `.ikiwiki/indexdb`. In this mode, you should specify the srcdir of
automatically run it as necessary. the wiki as the second parameter. You do not normally need to run
`ikiwiki-transition indexdb`; ikiwiki will automatically run it as
necessary.
# hashpassword
The `hashpassword` mode forces any plaintext passwords stored in the
`.ikiwiki/userdb` file to be replaced with password hashes. (The
Authen::Passphrase perl module is needed to do this.) In this mode, you
should specify the srcdir of the wiki as the second parameter.
If this is not done explicitly, a user's plaintext password will be
automatically converted to a hash when a user logs in for the first time
after upgrade to ikiwiki 2.48.
# AUTHOR # AUTHOR
Josh Triplett <josh@freedesktop.org> Josh Triplett <josh@freedesktop.org>, Joey Hess <joey@ikiwiki.info>
Warning: this page is automatically made into ikiwiki-transition's man page, edit with care Warning: this page is automatically made into ikiwiki-transition's man page, edit with care

View File

@ -123,6 +123,8 @@ use IkiWiki::Setup::Standard {
#usedirs => 0, #usedirs => 0,
# Simple spam prevention: require an account-creation password. # Simple spam prevention: require an account-creation password.
#account_creation_password => "example", #account_creation_password => "example",
# Cost of generating a password using Authen::Passphrase::BlowfishCrypt
#password_cost => 8,
# Uncomment to force ikiwiki to run with a particular umask. # Uncomment to force ikiwiki to run with a particular umask.
#umask => 022, #umask => 022,
# Default settings for the recentchanges page. # Default settings for the recentchanges page.

View File

@ -30,7 +30,7 @@ perl modules using this command:
yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \ yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \
perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \ perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \
perl-CGI-Session perl-File-MimeInfo perl-gettext perl-CGI-Session perl-File-MimeInfo perl-gettext perl-Authen-Passphrase
## Installing by hand ## Installing by hand

View File

@ -2,16 +2,32 @@
[[tag type/auth]] [[tag type/auth]]
This plugin lets ikiwiki prompt for a user name and password when logging This plugin lets ikiwiki prompt for a user name and password when logging
into the wiki. It also handles registering users, mailing passwords, and into the wiki. It also handles registering users, resetting passwords, and
changing passwords in the prefs page. changing passwords in the prefs page.
It is enabled by default, but can be turned off if you want to only use It is enabled by default, but can be turned off if you want to only use
some other form of authentication, such as [[httpauth]] or [[openid]]. some other form of authentication, such as [[httpauth]] or [[openid]].
When the `account_creation_password` configuration option is enabled with When the `account_creation_password` configuration option is enabled with
a pass-phrase, this plugin prompts for the password when creating an a password, this plugin prompts for the password when creating an
account as a implistic anti-spam measure. account as a simplistic anti-spam measure.
(Some wikis edited by a particular group use an account creation password (Some wikis edited by a particular group use an account creation password
as an "ask an existing member to get an account" system.) as an "ask an existing member to get an account" system.)
## password storage
Users' passwords are stored in the `.ikiwiki/userdb` file, which needs to
be kept safe to prevent exposure of passwords. If the
[[Authen::Passphrase]] perl module is installed, only hashes of the
passwords will be stored. This is strongly recommended.
The `password_cost` configuration option can be used to make the stored
password hashes be more difficult to brute force, at the expense of also
taking more time to check a password when a user logs into the wiki. The
default value is 8, max value is (currently) 31, and each step *doubles*
the time required.
So if you're worried about your password files leaking and being cracked,
you can increase the `password_cost` and make that harder. But a better
choice might be to not deal with user passwords at all, and instead use
[[openid]]!

View File

@ -105,7 +105,7 @@ your web server will not run it.
## suid wrappers ## suid wrappers
ikiwiki --wrapper is intended to generate a wrapper program that `ikiwiki --wrapper` is intended to generate a wrapper program that
runs ikiwiki to update a given wiki. The wrapper can in turn be made suid, runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
for example to be used in a [[post-commit]] hook by people who cannot write for example to be used in a [[post-commit]] hook by people who cannot write
to the html pages, etc. to the html pages, etc.
@ -118,9 +118,13 @@ been no problem yet.
## shell exploits ## shell exploits
ikiwiki does not expose untrusted data to the shell. In fact it doesn't use ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
system() at all, and the only use of backticks is on data supplied by the `system(3)` at all, and the only use of backticks is on data supplied by the
wiki admin and untainted filenames. And it runs with taint checks on of wiki admin and untainted filenames.
course..
Ikiwiki was developed and used for a long time with perl's taint checking
turned on as a second layer of defense against shell and other exploits. Due
to a strange [bug](http://bugs.debian.org/411786) in perl, taint checking
is currently disabled for production builds of ikiwiki.
## cgi data security ## cgi data security
@ -141,11 +145,11 @@ file not be world readable.
## cgi password security ## cgi password security
Login to the wiki involves sending a password in cleartext over the net. Login to the wiki using [[plugins/passwordauth]] involves sending a password
Cracking the password only allows editing the wiki as that user though. in cleartext over the net. Cracking the password only allows editing the wiki
If you care, you can use https, I suppose. If you do use https either for as that user though. If you care, you can use https, I suppose. If you do use
all of the wiki, or just the cgi access, then consider using the sslcookie https either for all of the wiki, or just the cgi access, then consider using
option. the sslcookie option. Using [[plugins/openid]] is a potentially better option.
## XSS holes in CGI output ## XSS holes in CGI output
@ -377,3 +381,19 @@ page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
These holes were discovered on 10 April 2008 and fixed the same day with These holes were discovered on 10 April 2008 and fixed the same day with
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
version 1.33.5. I recommend upgrading to one of these versions. version 1.33.5. I recommend upgrading to one of these versions.
## Cleartext passwords
Until version 2.48, ikiwiki stored passwords in cleartext in the `userdb`.
That risks exposing all users' passwords if the file is somehow exposed. To
pre-emtively guard against that, current versions of ikiwiki store password
hashes (using Eksblowfish).
If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to
ikiwiki 2.48, installing the [[Authen::Passphrase]] perl module, and running
`ikiwiki-transition hashpassword` to replace all existing cleartext passwords
with strong blowfish hashes.
You might also consider changing to [[plugins/openid]], which does not
require ikiwiki deal with passwords at all, and does not involve users sending
passwords in cleartext over the net to log in, either.