25 Jan
2023
25 Jan
'23
2:17 p.m.
Branch: refs/heads/master
Home: https://github.com/tribe29/checkmk
Commit: ef9c96327efeb73dfb6dea3587dea7bcfa0a77fd
https://github.com/tribe29/checkmk/commit/ef9c96327efeb73dfb6dea3587dea7bcf…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-25 (Wed, 25 Jan 2023)
Changed paths:
A .werks/15183
M cmk/gui/userdb/__init__.py
M cmk/gui/userdb/htpasswd.py
A cmk/update_config/plugins/actions/password_hashes.py
M cmk/utils/crypto/password_hashing.py
M tests/testlib/users.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
M tests/unit/cmk/update_config/conftest.py
A tests/unit/cmk/update_config/plugins/actions/test_password_hashes.py
M tests/unit/cmk/update_config/plugins/actions/test_user_attributes.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
15183 SEC Drop support for outdated password hashing schemes
With Checkmk 2.2.0 the support for older and in part insecure password
hashing schemes has been removed.
As a result, it is possible that some local users cannot log in anymore.
`omd update` will now inform about these cases.
Since Werk #14391 old password hashes were either automatically updated
upon login or users were asked to choose new passwords, depending on how
old and insecure their hashes were. However, if a user has not logged in
at all since Werk #14391 it is possible that they still use the old
hashing scheme. These users will not be able to log in after the update,
since support for these schemes has been removed. The login will fail
with the message "Invalid login".
In order to restore access for affected users, you need to manually
reset their password. This can be done either via user management in
Setup > Users or via the commandline using cmk-passwd.
Even though this Werk is related to security, it does not fix any
exploitable issue. To aid automatic scanners, we assign a CVSS score
of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
CMK-11608
Change-Id: I0102b3601f0cf0d19aad2023058b2541b302bdd9