/orientdb

Require root password on server startup and store hash rather than plain text for verification #1428

Closed
wants to merge 2 commits into
from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@h00gs @lvca @ruckc
@h00gs

h00gs commented Apr 8, 2013

... root password on startup, store the hash of the root password (not the plain text) in the server config xml file, and require that it be changed from the default value. A passphrase is permitted and a startup option "-p" is provided which allows the user to run the server for the sole purpose of generating a password hash that can be pasted into the server config xml file for subsequent verification.

Minimal code changes, uses existing encryption calls. Does create a problem if you want to automatically spawn server instances.

h00gs added some commits Apr 8, 2013

@h00gs
To make a server instance more secure, now require the user to enter … 
…the root password on startup, store the hash of the root password (not the plain text) in the server config xml file, and require that it be changed from the default value. A passphrase is permitted and a startup option "-p" is provided which allows the user to run the server for the sole purpose of generating a password hash that can be pasted into the server config xml file for subsequent verification.

Minimal code changes, uses existing encryption calls.  Does create a problem if you want to automatically spawn server instances.

All checks have failed

1 errored and 1 failing checks
@lvca
default — The Travis build could not complete due to an error
Details
clahub — Not all contributors have signed the Contributor License Agreement.
Details
06b355a
@h00gs
Added another switch -u that allows unsecured invocation, bypassing a… 
…ll the password stuff.

All checks have failed

1 errored and 1 failing checks
@lvca
default — The Travis build could not complete due to an error
Details
clahub — One or more of this commit's parents has contributors who have not signed the Contributor License Agreement.
Details
effbf63
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca May 7, 2013

Owner

Nice pull request, sorry to haven't merged before!

Owner

lvca commented May 7, 2013

Nice pull request, sorry to haven't merged before!
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca May 7, 2013

Owner

Why you stored in xml config file "root" as default password? I would leave the current settings where if you install a new server you've an automatic generated password. Does this behavior remain if I avoid to put the root user?

  •    <user resources="*" password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"
Owner

lvca commented May 7, 2013

Why you stored in xml config file "root" as default password? I would leave the current settings where if you install a new server you've an automatic generated password. Does this behavior remain if I avoid to put the root user?

  •    <user resources="*" password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"
@h00gs

This comment has been minimized.

Show comment Hide comment
@h00gs

h00gs May 10, 2013

Hi Luca,

Thanks for considering the request. To be honest I can't remember why I
introduced the root password! Unfortunately I'm moving house tommorrow and
in Australia getting connected to the internet in such a case takes 2-4
weeks (even though the wire is in place), so I'll revisit what I was doing
there and get back to you in a few weeks.

Cheers
hoogs

On Tue, May 7, 2013 at 2:59 PM, Luca Garulli notifications@github.comwrote:

Why you stored in xml config file "root" as default password? I would
leave the current settings where if you install a new server you've an
automatic generated password. Does this behavior remain if I avoid to put
the root user?

  • <user resources="*"
    password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"


Reply to this email directly or view it on GitHubhttps://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17526389
.

h00gs commented May 10, 2013

Hi Luca,

Thanks for considering the request. To be honest I can't remember why I
introduced the root password! Unfortunately I'm moving house tommorrow and
in Australia getting connected to the internet in such a case takes 2-4
weeks (even though the wire is in place), so I'll revisit what I was doing
there and get back to you in a few weeks.

Cheers
hoogs

On Tue, May 7, 2013 at 2:59 PM, Luca Garulli notifications@github.comwrote:

Why you stored in xml config file "root" as default password? I would
leave the current settings where if you install a new server you've an
automatic generated password. Does this behavior remain if I avoid to put
the root user?

  • <user resources="*"
    password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"


Reply to this email directly or view it on GitHubhttps://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17526389
.
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca May 10, 2013

Owner

Ok ;-)

Lvc@

On 10 May 2013 16:38, h00gs notifications@github.com wrote:

Hi Luca,

Thanks for considering the request. To be honest I can't remember why I
introduced the root password! Unfortunately I'm moving house tommorrow and
in Australia getting connected to the internet in such a case takes 2-4
weeks (even though the wire is in place), so I'll revisit what I was doing
there and get back to you in a few weeks.

Cheers
hoogs

On Tue, May 7, 2013 at 2:59 PM, Luca Garulli notifications@github.comwrote:

Why you stored in xml config file "root" as default password? I would
leave the current settings where if you install a new server you've an
automatic generated password. Does this behavior remain if I avoid to
put
the root user?

  • <user resources="*"

password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"


Reply to this email directly or view it on GitHub<
https://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17526389>
.


Reply to this email directly or view it on GitHubhttps://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17723791
.

Owner

lvca commented May 10, 2013

Ok ;-)

Lvc@

On 10 May 2013 16:38, h00gs notifications@github.com wrote:

Hi Luca,

Thanks for considering the request. To be honest I can't remember why I
introduced the root password! Unfortunately I'm moving house tommorrow and
in Australia getting connected to the internet in such a case takes 2-4
weeks (even though the wire is in place), so I'll revisit what I was doing
there and get back to you in a few weeks.

Cheers
hoogs

On Tue, May 7, 2013 at 2:59 PM, Luca Garulli notifications@github.comwrote:

Why you stored in xml config file "root" as default password? I would
leave the current settings where if you install a new server you've an
automatic generated password. Does this behavior remain if I avoid to
put
the root user?

  • <user resources="*"

password="4813494D137E1631BBA301D5ACAB6E7BB7AA74CE1185D456565EF51D737677B2"


Reply to this email directly or view it on GitHub<
https://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17526389>
.


Reply to this email directly or view it on GitHubhttps://github.com/nuvolabase/orientdb/pull/1428#issuecomment-17723791
.
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca May 10, 2013

Owner

Ok, I can wait for it ;-)

Owner

lvca commented May 10, 2013

Ok, I can wait for it ;-)
@ruckc

This comment has been minimized.

Show comment Hide comment
@ruckc

ruckc Apr 16, 2014

bump... Will this merge cleanly now or does it need to be revisited?

ruckc commented Apr 16, 2014

bump... Will this merge cleanly now or does it need to be revisited?
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca Apr 16, 2014

Owner

This fix needs to be merged against new develop. @ruckc Would you like to do it?

Owner

lvca commented Apr 16, 2014

This fix needs to be merged against new develop. @ruckc Would you like to do it?
@ruckc

This comment has been minimized.

Show comment Hide comment
@ruckc

ruckc Apr 17, 2014

@lvca I think I can. I'm looking at it now. Though, I am trying to figure out the easiest way to handle automatic startup scripts if a password is required via stdin. Thinking it might be easiest to merge in the config.xml password hashing and leave the password required to launch out until OrientDB gets encrypted data at rest through #89.

ruckc commented Apr 17, 2014

@lvca I think I can. I'm looking at it now. Though, I am trying to figure out the easiest way to handle automatic startup scripts if a password is required via stdin. Thinking it might be easiest to merge in the config.xml password hashing and leave the password required to launch out until OrientDB gets encrypted data at rest through #89.
@lvca

This comment has been minimized.

Show comment Hide comment
@lvca

lvca Sep 1, 2015

Owner

This has been implemented in 2.2.

Owner

lvca commented Sep 1, 2015

This has been implemented in 2.2.

@lvca lvca closed this Sep 1, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment