Thanks Sebastian :) Actually this is the reason why I haven't dropped MD5 support. But I see no way to perform migration of user password without the requirement to reset password by each user. The only solutions I see is: 1) change crypt type and set sort of "welcome message: please reset password" 2) reset passwords for all users to some generated one and mass send emails with new password (don't like this idea) 3) add flag to the user: "Reset password is required", add admin button (set reset flag to all users)
something like this On Sat, Aug 13, 2016 at 6:01 AM, [email protected] <[email protected]> wrote: > Hi Maxim, > > my only concern is that if you import an old backup with the v3.1.2 is > working as expected and you do not end up in a situation where you do an > import and afterwards the login does not work as the password is encrypted > with the old crypt class. > > I think we have to be careful with that especially as we are releasing > security features which include recommendations to update. It would be > embarrassing to recommend an update and then discover that the update path > is broken. > > I might be able to do a quick installation and verification. > > I created a blog post for this release, please review: > https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released > > I already published it as it's pretty much the same content as your email. > But please have a quick look. > > Great work btw for getting the signing of the Webstart App finally out. I > can remember discussing this for like 1 year. > > I think we can also move this discussion the @dev, nothing secret here > anymore. The security patch is out now. > > Thanks, > Seb > > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <[email protected]>: >> >> Actually right now crypt class from the backup will be taken (no changes >> for users) >> >> We can force change in any version >> I would propose 3.2.0 for this >> >> WBR, Maxim >> (from mobile, sorry for the typos) >> >> >> On Aug 12, 2016 12:02, "[email protected]" <[email protected]> >> wrote: >> >> Hi Maxim, >> >> this will be required for anybody that upgrades from an older version to >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that. >> >> Can we not just automatically change it to the old encryption class for >> users that install via a backup ? >> >> I think (1) is not an option anyway as it would need to have all passwords >> in blank to encrypt them. Which we neither have not want to have from a >> security point of view. >> >> (2) is what you would usually do. >> >> However still, the migration path is kind of like a major thing. We don't >> want to loose all of our old user base because they have this upgrade issue. >> >> Thanks, >> Sebastian >> >> >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <[email protected]>: >>> >>> Hmmm, >>> >>> I see couple of options here >>> >>> 1) Brut-force old user password and re-encrypt (unrealistic) >>> 2) Add sort of configurable "admin message" to Sign in dialog, something >>> like: "All users unable to login need to reset their passwords, due to >>> security of the system was enhanced" >>> >>> WDYT? >>> >>> On Fri, Aug 12, 2016 at 11:03 AM, [email protected] >>> <[email protected]> wrote: >>>> >>>> "remove MD5*.class from bundle and correct class will be set >>>> automatically" >>>> >>>> Well my point is that in the old backup all passwords are encrypted with >>>> MD5. So once you imported that none of the logins will work anymore. >>>> >>>> Asking every user to type in a new password is quite some usability >>>> issue. And we also have no way of prompting users to switch the password >>>> once it's invalid other then going through the entire reset password cycle. >>>> >>>> So how will those be able to migrate ? >>>> >>>> Thanks, >>>> Sebastian >>>> >>>> >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <[email protected]>: >>>>> >>>>> Actually there are couple of ways: >>>>> >>>>> 1) unzip backup, edit xml, zip it back >>>>> 2) remove MD5*.class from bundle and correct class will be set >>>>> automatically >>>>> >>>>> I believe I'll choose #2 for 3.2.0 :) >>>>> >>>>> On Fri, Aug 12, 2016 at 10:50 AM, [email protected] >>>>> <[email protected]> wrote: >>>>>> >>>>>> So you need to adjust the config key after you did import the backup. >>>>>> >>>>>> Is there any way the backup mechanism can do that automatically? I >>>>>> think it's a spring config bean right ? >>>>>> >>>>>> Thanks, >>>>>> Sebastian >>>>>> >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <[email protected]>: >>>>>>> >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings >>>>>>> >>>>>>> yep, this is the complete list :) >>>>>>> >>>>>>> new password encryption will work, BUT crypt class need to be >>>>>>> manually changed >>>>>>> I plan to force it in 3.2.0 >>>>>>> >>>>>>> >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, [email protected] >>>>>>> <[email protected]> wrote: >>>>>>>> >>>>>>>> Hi Maxim, >>>>>>>> >>>>>>>> let me know when you are ready to publish it. >>>>>>>> >>>>>>>> I would like to create a short blog post with the update. >>>>>>>> >>>>>>>> Does this represent a complete list of all Jira tickets involved in >>>>>>>> this release: >>>>>>>> >>>>>>>> >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12335347 >>>>>>>> >>>>>>>> One questions regarding the new password encryption. Will that work >>>>>>>> for users that migrate from old versions to new OpenMeetings? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Sebastian >>>>>>>> >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <[email protected]>: >>>>>>>>> >>>>>>>>> I'm closing the vote >>>>>>>>> The VOTE is passed >>>>>>>>> >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner >>>>>>>>> >>>>>>>>> -- >>>>>>>>> WBR >>>>>>>>> Maxim aka solomax >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sebastian Wagner >>>>>>>> https://twitter.com/#!/dead_lock >>>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> WBR >>>>>>> Maxim aka solomax >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Sebastian Wagner >>>>>> https://twitter.com/#!/dead_lock >>>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> WBR >>>>> Maxim aka solomax >>>> >>>> >>>> >>>> >>>> -- >>>> Sebastian Wagner >>>> https://twitter.com/#!/dead_lock >>>> [email protected] >>> >>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >> >> >> >> >> -- >> Sebastian Wagner >> https://twitter.com/#!/dead_lock >> [email protected] >> >> > > > > -- > Sebastian Wagner > https://twitter.com/#!/dead_lock > [email protected] -- WBR Maxim aka solomax
