documentation for use of hashed passwords
Everything but the actual coding to support them.master
parent
774a5f86b2
commit
4152dca09e
|
@ -16,6 +16,7 @@ perl -MCPAN -e 'install Bundle::IkiWiki::Extras'
|
|||
|
||||
=head1 CONTENTS
|
||||
|
||||
Authen::Passphrase
|
||||
RPC::XML
|
||||
File::MimeInfo
|
||||
Locale::gettext
|
||||
|
|
|
@ -1,3 +1,13 @@
|
|||
ikiwiki (2.48) unstable; urgency=low
|
||||
|
||||
If you allowed password based logins to your wiki, those passwords were
|
||||
stored in cleartext in the userdb. To guard against exposing users'
|
||||
passwords, I recommend you install the Authen::Passphrase perl module, and
|
||||
then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
|
||||
existing cleartext passwords with strong (blowfish) hashes.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Thu, 29 May 2008 14:39:34 -0400
|
||||
|
||||
ikiwiki (2.46) unstable; urgency=low
|
||||
|
||||
There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
|
||||
|
|
|
@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low
|
|||
explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
|
||||
5.8 needs this to avoid crashing on malformed utf-8, despite its docs
|
||||
saying it is the default.
|
||||
* passwordauth: If Authen::Passphrase is installed, use it to store
|
||||
password hashes, crypted with Eksblowfish.
|
||||
* Existing cleartext passwords in the userdb will be automatically hashed
|
||||
(if Authen::Passphrase is installed) the next time a user logs in.
|
||||
Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force
|
||||
a conversion.
|
||||
* Passwords will no longer be mailed, but instead a password reset link
|
||||
mailed.
|
||||
* The password_cost config setting is provided as a "more security" knob.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Wed, 28 May 2008 03:07:37 -0400
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki
|
|||
Package: ikiwiki
|
||||
Architecture: all
|
||||
Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
|
||||
Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl
|
||||
Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl
|
||||
Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
|
||||
Conflicts: ikiwiki-plugin-table
|
||||
Replaces: ikiwiki-plugin-table
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# NAME
|
||||
|
||||
ikiwiki-transition - transition ikiwiki pages to new syntaxes
|
||||
ikiwiki-transition - transition ikiwiki pages to new syntaxes, etc
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
|
@ -8,12 +8,15 @@ ikiwiki-transition type ...
|
|||
|
||||
# DESCRIPTION
|
||||
|
||||
`ikiwiki-transition` aids in converting ikiwiki pages when
|
||||
there's a major change in ikiwiki syntax.
|
||||
`ikiwiki-transition` aids in converting wiki pages when
|
||||
there's a major change in ikiwiki syntax. It also handles other transitions
|
||||
not involving wiki pages.
|
||||
|
||||
Currently only one such transition is handled, the `prefix_directives` mode
|
||||
converts the specified ikiwiki page from the old preprocessor directive
|
||||
syntax, requiring a space, to the new syntax, prefixed by '!'.
|
||||
# prefix_directives
|
||||
|
||||
The `prefix_directives` mode converts the specified ikiwiki page from
|
||||
the old preprocessor directive syntax, requiring a space, to the new
|
||||
syntax, prefixed by '!'.
|
||||
|
||||
Preprocessor directives which already use the new syntax will remain
|
||||
unchanged.
|
||||
|
@ -22,14 +25,27 @@ Note that if the page contains wiki links with spaces, which some
|
|||
older versions of ikiwiki accepted, the prefix_directives transition will
|
||||
treat these as preprocessor directives and convert them.
|
||||
|
||||
One other transition is handled, the `indexdb` mode handles converting
|
||||
a plain text `.ikiwiki/index` file to a binary `.ikiwiki/indexdb`. In this
|
||||
mode, you should specify the srcdir of the wiki as the second parameter.
|
||||
You do not normally need to run `ikiwiki-transition indexdb`; ikiwiki will
|
||||
automatically run it as necessary.
|
||||
# indexdb
|
||||
|
||||
The `indexdb` mode handles converting a plain text `.ikiwiki/index` file to
|
||||
a binary `.ikiwiki/indexdb`. In this mode, you should specify the srcdir of
|
||||
the wiki as the second parameter. You do not normally need to run
|
||||
`ikiwiki-transition indexdb`; ikiwiki will automatically run it as
|
||||
necessary.
|
||||
|
||||
# hashpassword
|
||||
|
||||
The `hashpassword` mode forces any plaintext passwords stored in the
|
||||
`.ikiwiki/userdb` file to be replaced with password hashes. (The
|
||||
Authen::Passphrase perl module is needed to do this.) In this mode, you
|
||||
should specify the srcdir of the wiki as the second parameter.
|
||||
|
||||
If this is not done explicitly, a user's plaintext password will be
|
||||
automatically converted to a hash when a user logs in for the first time
|
||||
after upgrade to ikiwiki 2.48.
|
||||
|
||||
# AUTHOR
|
||||
|
||||
Josh Triplett <josh@freedesktop.org>
|
||||
Josh Triplett <josh@freedesktop.org>, Joey Hess <joey@ikiwiki.info>
|
||||
|
||||
Warning: this page is automatically made into ikiwiki-transition's man page, edit with care
|
||||
|
|
|
@ -123,6 +123,8 @@ use IkiWiki::Setup::Standard {
|
|||
#usedirs => 0,
|
||||
# Simple spam prevention: require an account-creation password.
|
||||
#account_creation_password => "example",
|
||||
# Cost of generating a password using Authen::Passphrase::BlowfishCrypt
|
||||
#password_cost => 8,
|
||||
# Uncomment to force ikiwiki to run with a particular umask.
|
||||
#umask => 022,
|
||||
# Default settings for the recentchanges page.
|
||||
|
|
|
@ -30,7 +30,7 @@ perl modules using this command:
|
|||
|
||||
yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \
|
||||
perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \
|
||||
perl-CGI-Session perl-File-MimeInfo perl-gettext
|
||||
perl-CGI-Session perl-File-MimeInfo perl-gettext perl-Authen-Passphrase
|
||||
|
||||
## Installing by hand
|
||||
|
||||
|
|
|
@ -2,16 +2,32 @@
|
|||
[[tag type/auth]]
|
||||
|
||||
This plugin lets ikiwiki prompt for a user name and password when logging
|
||||
into the wiki. It also handles registering users, mailing passwords, and
|
||||
into the wiki. It also handles registering users, resetting passwords, and
|
||||
changing passwords in the prefs page.
|
||||
|
||||
It is enabled by default, but can be turned off if you want to only use
|
||||
some other form of authentication, such as [[httpauth]] or [[openid]].
|
||||
|
||||
When the `account_creation_password` configuration option is enabled with
|
||||
a pass-phrase, this plugin prompts for the password when creating an
|
||||
account as a implistic anti-spam measure.
|
||||
a password, this plugin prompts for the password when creating an
|
||||
account as a simplistic anti-spam measure.
|
||||
(Some wikis edited by a particular group use an account creation password
|
||||
as an "ask an existing member to get an account" system.)
|
||||
|
||||
## password storage
|
||||
|
||||
Users' passwords are stored in the `.ikiwiki/userdb` file, which needs to
|
||||
be kept safe to prevent exposure of passwords. If the
|
||||
[[Authen::Passphrase]] perl module is installed, only hashes of the
|
||||
passwords will be stored. This is strongly recommended.
|
||||
|
||||
The `password_cost` configuration option can be used to make the stored
|
||||
password hashes be more difficult to brute force, at the expense of also
|
||||
taking more time to check a password when a user logs into the wiki. The
|
||||
default value is 8, max value is (currently) 31, and each step *doubles*
|
||||
the time required.
|
||||
|
||||
So if you're worried about your password files leaking and being cracked,
|
||||
you can increase the `password_cost` and make that harder. But a better
|
||||
choice might be to not deal with user passwords at all, and instead use
|
||||
[[openid]]!
|
||||
|
|
|
@ -105,7 +105,7 @@ your web server will not run it.
|
|||
|
||||
## suid wrappers
|
||||
|
||||
ikiwiki --wrapper is intended to generate a wrapper program that
|
||||
`ikiwiki --wrapper` is intended to generate a wrapper program that
|
||||
runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
|
||||
for example to be used in a [[post-commit]] hook by people who cannot write
|
||||
to the html pages, etc.
|
||||
|
@ -118,9 +118,13 @@ been no problem yet.
|
|||
## shell exploits
|
||||
|
||||
ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
|
||||
system() at all, and the only use of backticks is on data supplied by the
|
||||
wiki admin and untainted filenames. And it runs with taint checks on of
|
||||
course..
|
||||
`system(3)` at all, and the only use of backticks is on data supplied by the
|
||||
wiki admin and untainted filenames.
|
||||
|
||||
Ikiwiki was developed and used for a long time with perl's taint checking
|
||||
turned on as a second layer of defense against shell and other exploits. Due
|
||||
to a strange [bug](http://bugs.debian.org/411786) in perl, taint checking
|
||||
is currently disabled for production builds of ikiwiki.
|
||||
|
||||
## cgi data security
|
||||
|
||||
|
@ -141,11 +145,11 @@ file not be world readable.
|
|||
|
||||
## cgi password security
|
||||
|
||||
Login to the wiki involves sending a password in cleartext over the net.
|
||||
Cracking the password only allows editing the wiki as that user though.
|
||||
If you care, you can use https, I suppose. If you do use https either for
|
||||
all of the wiki, or just the cgi access, then consider using the sslcookie
|
||||
option.
|
||||
Login to the wiki using [[plugins/passwordauth]] involves sending a password
|
||||
in cleartext over the net. Cracking the password only allows editing the wiki
|
||||
as that user though. If you care, you can use https, I suppose. If you do use
|
||||
https either for all of the wiki, or just the cgi access, then consider using
|
||||
the sslcookie option. Using [[plugins/openid]] is a potentially better option.
|
||||
|
||||
## XSS holes in CGI output
|
||||
|
||||
|
@ -377,3 +381,19 @@ page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
|
|||
These holes were discovered on 10 April 2008 and fixed the same day with
|
||||
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
|
||||
version 1.33.5. I recommend upgrading to one of these versions.
|
||||
|
||||
## Cleartext passwords
|
||||
|
||||
Until version 2.48, ikiwiki stored passwords in cleartext in the `userdb`.
|
||||
That risks exposing all users' passwords if the file is somehow exposed. To
|
||||
pre-emtively guard against that, current versions of ikiwiki store password
|
||||
hashes (using Eksblowfish).
|
||||
|
||||
If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to
|
||||
ikiwiki 2.48, installing the [[Authen::Passphrase]] perl module, and running
|
||||
`ikiwiki-transition hashpassword` to replace all existing cleartext passwords
|
||||
with strong blowfish hashes.
|
||||
|
||||
You might also consider changing to [[plugins/openid]], which does not
|
||||
require ikiwiki deal with passwords at all, and does not involve users sending
|
||||
passwords in cleartext over the net to log in, either.
|
||||
|
|
Loading…
Reference in New Issue