Updated adduser to check for existing user and use password hashing #307

Merged
merged 1 commit into from Oct 11, 2014

Projects

None yet

2 participants

@laf
Member
laf commented Oct 6, 2014

Adding users when using http-auth did so with plaintext password, updated so this now hashes the password even thought it's never used.

@paulgear
Member
paulgear commented Oct 7, 2014

If the password isn't used, I don't think we should be hashing it. We should be putting in some dummy text to show that it's unused.

@laf
Member
laf commented Oct 7, 2014

If a user changes back to mysql-auth though then none of the users will work (they won't if they've updated passwords since then anyway but at least it's a chance). dummy data whilst shouldn't be an issue as people won't be able to auth against it if we don't encrypt it maybe something we don't want to do just in case someone finds a way to exploit this. If we do encrypt the dummy data then it means that everyone knows the passwords.

I'll vote to encrypt the provided password as we've been happy enough with the level of encryption this offers so far :)

@paulgear
Member

Fair enough.

@paulgear paulgear merged commit b400ff8 into librenms:master Oct 11, 2014

1 check passed

ci/scrutinizer Scrutinizer: 7 new issues
Details
@laf laf deleted the unknown repository branch Apr 30, 2015
@laf laf restored the unknown repository branch May 2, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment