Branch: refs/heads/2.1.0
Home:
https://github.com/tribe29/checkmk
Commit: e0f54aa0055b3c34eee5c814ab22f43ba756434b
https://github.com/tribe29/checkmk/commit/e0f54aa0055b3c34eee5c814ab22f43ba…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M tests/unit/cmk/gui/test_userdb.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
Log Message:
-----------
Remove unnecessary fixtures
The fixture is already auto-applied in conftest
Change-Id: I6adb4bbcd9e43d59420038ac1f44bc26097a7deb
Commit: 5003fec0359488b6ff794d9acddef3f449749303
https://github.com/tribe29/checkmk/commit/5003fec0359488b6ff794d9acddef3f44…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/14390
M cmk/gui/plugins/userdb/htpasswd.py
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/gui/test_userdb_htpasswd_connector.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14390 Automatically update deprectated password hashes
Deprecated hashes of user passwords stored in the htpasswd file will now
be automatically updated to a more modern hash format when the
respective user logs in. Specifically, password hashes created with the
sha256-crypt algorithm will be udpated to bcrypt hashes.
sha256-crypt hashes are still considered secure for password hashing.
However, we want to migrate all users' password hashes to the more
modern bcrypt algorithm. For users whose passwords are hashed with
sha256-crypt we can do so automatically in the background when they
authenticate successfully.
Older and less secure password hashes, such as MD5, are not updated
automatically.
CMK-11528
Change-Id: I53f65fc539a10bef38aba0a677fbfc8c3b07420e
Commit: 5cce0ef57881a5df091a31b2eaf025428df3f3d4
https://github.com/tribe29/checkmk/commit/5cce0ef57881a5df091a31b2eaf025428…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
A .werks/14391
M cmk/update_config.py
M cmk/utils/crypto/password_hashing.py
M tests/unit/cmk/test_update_config.py
M tests/unit/cmk/utils/crypto/test_password_hashing.py
Log Message:
-----------
14391 SEC Require password change for old password hashes
Local users whose passwords are hashed with insecure hash functions in
the htpasswd file will be required to change their passwords on their
next login.
Users that authenticate via other mechanisms, such as LDAP, are not
affected by this.
Starting from version 2.2, Checkmk will no longer support validating
password hashes of deprecated and insecure hash algorithms. In order to
avoid situations where users are unable to log in (and require manually
resetting their password by an administrator), users whose passwords are
currently hashed with any of the affected hash algorithms will be
required to set a new password.
A warning message including all affected usernames will be displayed to
the administrator running the `omd update` command. You can use this
list to contact these users and selectively inform them that they will
be required to change their password during their next UI login. In case
they do not change their password before Checkmk is upgraded to version
2.2, these users will not be able to log in anymore after the upgrade
and an administrator will have to reset the password.
The following hash algorithms that are currently still supported are
affected: des-crypt, MD5-crypt, Apr MD5-crypt. Passwords hashed with
sha256-crypt will not require resetting the password but will be updated
automatically on the user's next login (see Werk #14390).
New passwords will be hashed with bcrypt.
Should you wish to manually change a user's password via the CLI, please
be aware of the newly introduced `cmk-passwd` utility (see Werk #14389).
Even though this Werk is related to security, it does not fix any
exploitable issue. Hence, we assign a CVSS score of 0 (None)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
CMK-11529, CMK-11530
Change-Id: Ic14a9ffb5bb91cfbb3ac27ae62efdcd4a7db9b81
Compare:
https://github.com/tribe29/checkmk/compare/e53f2e9f3e66...5cce0ef57881