Sounds good. Will this also work for installations that use the LDAP/AD integration ?
Thx Seb 2016-08-13 13:47 GMT+12:00 Maxim Solodovnik <[email protected]>: > Thanks Sebastian :) > > Actually this is the reason why I haven't dropped MD5 support. But I > see no way to perform migration of user password without the > requirement to reset password by each user. > The only solutions I see is: > 1) change crypt type and set sort of "welcome message: please reset > password" > 2) reset passwords for all users to some generated one and mass send > emails with new password (don't like this idea) > 3) add flag to the user: "Reset password is required", add admin > button (set reset flag to all users) > > something like this > > On Sat, Aug 13, 2016 at 6:01 AM, [email protected] > <[email protected]> wrote: > > Hi Maxim, > > > > my only concern is that if you import an old backup with the v3.1.2 is > > working as expected and you do not end up in a situation where you do an > > import and afterwards the login does not work as the password is > encrypted > > with the old crypt class. > > > > I think we have to be careful with that especially as we are releasing > > security features which include recommendations to update. It would be > > embarrassing to recommend an update and then discover that the update > path > > is broken. > > > > I might be able to do a quick installation and verification. > > > > I created a blog post for this release, please review: > > https://blogs.apache.org/openmeetings/entry/openmeetings_3_1_2_released > > > > I already published it as it's pretty much the same content as your > email. > > But please have a quick look. > > > > Great work btw for getting the signing of the Webstart App finally out. I > > can remember discussing this for like 1 year. > > > > I think we can also move this discussion the @dev, nothing secret here > > anymore. The security patch is out now. > > > > Thanks, > > Seb > > > > 2016-08-12 17:08 GMT+12:00 Maxim Solodovnik <[email protected]>: > >> > >> Actually right now crypt class from the backup will be taken (no changes > >> for users) > >> > >> We can force change in any version > >> I would propose 3.2.0 for this > >> > >> WBR, Maxim > >> (from mobile, sorry for the typos) > >> > >> > >> On Aug 12, 2016 12:02, "[email protected]" <[email protected]> > >> wrote: > >> > >> Hi Maxim, > >> > >> this will be required for anybody that upgrades from an older version to > >> OpenMeetings v3.1.2 right? So we kind of missed the chance to do that. > >> > >> Can we not just automatically change it to the old encryption class for > >> users that install via a backup ? > >> > >> I think (1) is not an option anyway as it would need to have all > passwords > >> in blank to encrypt them. Which we neither have not want to have from a > >> security point of view. > >> > >> (2) is what you would usually do. > >> > >> However still, the migration path is kind of like a major thing. We > don't > >> want to loose all of our old user base because they have this upgrade > issue. > >> > >> Thanks, > >> Sebastian > >> > >> > >> 2016-08-12 16:07 GMT+12:00 Maxim Solodovnik <[email protected]>: > >>> > >>> Hmmm, > >>> > >>> I see couple of options here > >>> > >>> 1) Brut-force old user password and re-encrypt (unrealistic) > >>> 2) Add sort of configurable "admin message" to Sign in dialog, > something > >>> like: "All users unable to login need to reset their passwords, due to > >>> security of the system was enhanced" > >>> > >>> WDYT? > >>> > >>> On Fri, Aug 12, 2016 at 11:03 AM, [email protected] > >>> <[email protected]> wrote: > >>>> > >>>> "remove MD5*.class from bundle and correct class will be set > >>>> automatically" > >>>> > >>>> Well my point is that in the old backup all passwords are encrypted > with > >>>> MD5. So once you imported that none of the logins will work anymore. > >>>> > >>>> Asking every user to type in a new password is quite some usability > >>>> issue. And we also have no way of prompting users to switch the > password > >>>> once it's invalid other then going through the entire reset password > cycle. > >>>> > >>>> So how will those be able to migrate ? > >>>> > >>>> Thanks, > >>>> Sebastian > >>>> > >>>> > >>>> 2016-08-12 15:52 GMT+12:00 Maxim Solodovnik <[email protected]>: > >>>>> > >>>>> Actually there are couple of ways: > >>>>> > >>>>> 1) unzip backup, edit xml, zip it back > >>>>> 2) remove MD5*.class from bundle and correct class will be set > >>>>> automatically > >>>>> > >>>>> I believe I'll choose #2 for 3.2.0 :) > >>>>> > >>>>> On Fri, Aug 12, 2016 at 10:50 AM, [email protected] > >>>>> <[email protected]> wrote: > >>>>>> > >>>>>> So you need to adjust the config key after you did import the > backup. > >>>>>> > >>>>>> Is there any way the backup mechanism can do that automatically? I > >>>>>> think it's a spring config bean right ? > >>>>>> > >>>>>> Thanks, > >>>>>> Sebastian > >>>>>> > >>>>>> 2016-08-12 15:46 GMT+12:00 Maxim Solodovnik <[email protected]>: > >>>>>>> > >>>>>>> demo is updated: https://om.alteametasoft.com/openmeetings > >>>>>>> > >>>>>>> yep, this is the complete list :) > >>>>>>> > >>>>>>> new password encryption will work, BUT crypt class need to be > >>>>>>> manually changed > >>>>>>> I plan to force it in 3.2.0 > >>>>>>> > >>>>>>> > >>>>>>> On Fri, Aug 12, 2016 at 10:43 AM, [email protected] > >>>>>>> <[email protected]> wrote: > >>>>>>>> > >>>>>>>> Hi Maxim, > >>>>>>>> > >>>>>>>> let me know when you are ready to publish it. > >>>>>>>> > >>>>>>>> I would like to create a short blog post with the update. > >>>>>>>> > >>>>>>>> Does this represent a complete list of all Jira tickets involved > in > >>>>>>>> this release: > >>>>>>>> > >>>>>>>> > >>>>>>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa? > projectId=12312720&version=12335347 > >>>>>>>> > >>>>>>>> One questions regarding the new password encryption. Will that > work > >>>>>>>> for users that migrate from old versions to new OpenMeetings? > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> Sebastian > >>>>>>>> > >>>>>>>> 2016-08-12 13:44 GMT+12:00 Maxim Solodovnik <[email protected] > >: > >>>>>>>>> > >>>>>>>>> I'm closing the vote > >>>>>>>>> The VOTE is passed > >>>>>>>>> > >>>>>>>>> we have 4 +1 from PMC: solomax, albus, vdegtyarev, sebawagner > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> WBR > >>>>>>>>> Maxim aka solomax > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Sebastian Wagner > >>>>>>>> https://twitter.com/#!/dead_lock > >>>>>>>> [email protected] > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> WBR > >>>>>>> Maxim aka solomax > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Sebastian Wagner > >>>>>> https://twitter.com/#!/dead_lock > >>>>>> [email protected] > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> WBR > >>>>> Maxim aka solomax > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Sebastian Wagner > >>>> https://twitter.com/#!/dead_lock > >>>> [email protected] > >>> > >>> > >>> > >>> > >>> -- > >>> WBR > >>> Maxim aka solomax > >> > >> > >> > >> > >> -- > >> Sebastian Wagner > >> https://twitter.com/#!/dead_lock > >> [email protected] > >> > >> > > > > > > > > -- > > Sebastian Wagner > > https://twitter.com/#!/dead_lock > > [email protected] > > > > -- > WBR > Maxim aka solomax > -- Sebastian Wagner https://twitter.com/#!/dead_lock [email protected]
