[checkmk-commits] [tribe29/checkmk] de6abe: 14818 FIX Ceph OSDs checkplugin now uses the warni...

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: de6abeb2ba93533988243302444f1cc7b56f8f4e https://github.com/tribe29/checkmk/commit/de6abeb2ba93533988243302444f1cc7b… Author: m3rlinux <m3rlinux.it(a)gmail.com> Date: 2022-11-08 (Tue, 08 Nov 2022) Changed paths: A .werks/14818 M checks/ceph_status Log Message: ----------- 14818 FIX Ceph OSDs checkplugin now uses the warning threshold The Chep OSDs check plugin ignored the warning thresholds for OSDs out and OSDs down. This has beed fixed now. Change-Id: Id025ab27f56dfdb1d74314c04cfdce829812bf56 closes: #543 Commit: 97a88546da58d523492ceecc5d9270d5e1b311fe https://github.com/tribe29/checkmk/commit/97a88546da58d523492ceecc5d9270d5e… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2022-11-08 (Tue, 08 Nov 2022) Changed paths: M tests/unit/cmk/gui/test_userdb.py M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py Log Message: ----------- Remove unnecessary fixtures The fixture is already auto-applied in conftest Change-Id: I6adb4bbcd9e43d59420038ac1f44bc26097a7deb Commit: 61547565a20dbc351e27b646935ff81c7742b6f5 https://github.com/tribe29/checkmk/commit/61547565a20dbc351e27b646935ff81c7… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2022-11-08 (Tue, 08 Nov 2022) Changed paths: A .werks/14390 M cmk/gui/userdb/htpasswd.py M cmk/utils/crypto/password_hashing.py M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py M tests/unit/cmk/utils/crypto/test_password_hashing.py Log Message: ----------- 14390 Automatically update deprectated password hashes Deprecated hashes of user passwords stored in the htpasswd file will now be automatically updated to a more modern hash format when the respective user logs in. Specifically, password hashes created with the sha256-crypt algorithm will be udpated to bcrypt hashes. sha256-crypt hashes are still considered secure for password hashing. However, we want to migrate all users' password hashes to the more modern bcrypt algorithm. For users whose passwords are hashed with sha256-crypt we can do so automatically in the background when they authenticate successfully. Older and less secure password hashes, such as MD5, are not updated automatically. CMK-11528 Change-Id: I53f65fc539a10bef38aba0a677fbfc8c3b07420e Commit: fcf6b3f055315be5d6c53ed099b44cc94e553042 https://github.com/tribe29/checkmk/commit/fcf6b3f055315be5d6c53ed099b44cc94… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2022-11-08 (Tue, 08 Nov 2022) Changed paths: A .werks/14391 M cmk/utils/crypto/password_hashing.py M tests/unit/cmk/utils/crypto/test_password_hashing.py Log Message: ----------- 14391 SEC Require password change for old password hashes Local users whose passwords are hashed with insecure hash functions in the htpasswd file will be required to change their passwords on their next login. Users that authenticate via other mechanisms, such as LDAP, are not affected by this. Starting from version 2.2, Checkmk will no longer support validating password hashes of deprecated and insecure hash algorithms. In order to avoid situations where users are unable to log in (and require manually resetting their password by an administrator), users whose passwords are currently hashed with any of the affected hash algorithms will be required to set a new password. A warning message including all affected usernames will be displayed to the administrator running the `omd update` command. You can use this list to contact these users and selectively inform them that they will be required to change their password during their next UI login. In case they do not change their password before Checkmk is upgraded to version 2.2, these users will not be able to log in anymore after the upgrade and an administrator will have to reset the password. The following hash algorithms that are currently still supported are affected: des-crypt, MD5-crypt, Apr MD5-crypt. Passwords hashed with sha256-crypt will not require resetting the password but will be updated automatically on the user's next login (see Werk #14390). New passwords will be hashed with bcrypt. Should you wish to manually change a user's password via the CLI, please be aware of the newly introduced `cmk-passwd` utility (see Werk #14389). Even though this Werk is related to security, it does not fix any exploitable issue. Hence, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). CMK-11529, CMK-11530 Change-Id: Ic14a9ffb5bb91cfbb3ac27ae62efdcd4a7db9b81 Compare: https://github.com/tribe29/checkmk/compare/d9098953e62d...fcf6b3f05531