Module: check_mk
Branch: master
Commit: a289dff1a63265a7d751741580647d22937ae5a7
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a289dff1a63265…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Oct 24 10:10:33 2018 +0200
6846 SEC More secure password hashing
Passwords of local users of the Check_MK GUI are now hashed using SHA256
(salted, 535000 rounds) to increase the security of the stored user logon
passwords.
All existing users will still be able to login using their already hashed
passwords. Once a user changes his password or a new user is created, these
will be hashed using the new algorithm.
Why SHA256? Check_MK supports different authentication frontends for verifying
the local credentials: a) basic authentication (done by apache) and b) the GUI
form + cookie based authentication.
The default is b). This option is toggled with the "omd config" option
MULTISITE_COOKIE_AUTH. In case the basic authentication is chosen it is only
possible to use hashing algorithms that are supported by apache which
performs the authentication in this situation.
For best compatibility in all mentioned situations we use the SHA256 scheme.
CMK-1151
Change-Id: I3e8ea4bdfe813e5d290ef94406340b89c73bfc9a
---
.werks/6846 | 27 ++++++
cmk/gui/md5crypt.py | 99 ----------------------
cmk/gui/plugins/userdb/htpasswd.py | 83 ++++++++++++------
omd/packages/omd/omd | 88 +------------------
.../unit/cmk/gui/test_userdb_htpasswd_connector.py | 28 +++++-
5 files changed, 111 insertions(+), 214 deletions(-)
Diff:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a289dff1a6…