Both external and LDAP users would not be affected Will try to implement 3) as you have described, looks doable :) Thanks!
On Fri, Jun 16, 2017 at 2:34 PM, Peter Dähn <[email protected]> wrote: > Hi Maxim, > > We have a lot external user in our system and just a few "real" user. Am I > right that this doesn't apply to external user or does this case also be > handled? > > 1 and 2 wouldn't be my favorites. > > I would prefer 3 and has an alternative if 3 isn't possible. > > 3) We hat a similar change in our system. They did it in the following way. > > - user login -> check password with sha256 > - if this doesn't match check password against md5 > - if this match store sha256-hash for further logins and send an > e-mail to that user "Rewrote password for security-reasons. If you didin't > login right now, inform your system-admin" or something like that. > - if both hashes doesn't match deny login. > > This would be the most user-friendly way I think. > > 4) Alternatively one could reset all passwords and if a user try to login > with empty password one get a popup "Your password need to renewed. You got > an e-mail". The system sends an e-mail with a link to create a new password. > > This are out ideas so far. > > Greetings Peter > > > Am 14.06.2017 um 09:07 schrieb Maxim Solodovnik: > >> Sure, have to fix some issues >> Will try to finish everything until next week-end :) >> So no rush right now :) >> >> My ideas were: >> 1) Add Admin function "reset all passwords" (not sure how users should be >> notified on new password in this case) >> 2) Add Admin function: "Email all users" general email "Please reset your >> passwords" will be sent to all users >> 3) Allow login with old password and require user to change it, possible >> but seems to be tricky >> >> Will wait for the results of your discussion :) >> >> On Wed, Jun 14, 2017 at 2:00 PM, Peter Dähn <[email protected]> wrote: >> >> Hi Maxim, >>> >>> you are right, this point is left.... >>> I think I try to discuss this with a colleague of mine. Maybe we get an >>> idea... >>> >>> Back later the or most likely on Friday. I hope this is on time. >>> >>> Greetings Peter >>> >>> >>> Am 14.06.2017 um 07:43 schrieb Maxim Solodovnik: >>> >>> Thanks a lot Peter, >>> >>> Now I'm back and ready to help :) >>> >>> Would appreciate to hear any thought regarding "soft" changing of >>> password >>> hash function >>> >>> On Mon, Jun 12, 2017 at 6:40 PM, Peter Dähn <[email protected]> < >>> [email protected]> wrote: >>> >>> >>> so.. now it is time I think... >>> >>> Congratulations! I hope you had a nice wedding and a few relaxing days... >>> >>> Greetings Peter >>> >>> >>> Am 24.05.2017 um 12:03 schrieb Peter Dähn: >>> >>> >>> ok.. then good luck... >>> >>> and best wishes when you are back... ;-) >>> >>> >>> >>> Am 24.05.2017 um 11:57 schrieb Maxim Solodovnik: >>> >>> >>> Thanks :) >>> >>> I'll be on vacation for the next 2 weeks, with rare access to the email >>> from my phone, so no rush :) >>> >>> On Wed, May 24, 2017 at 4:55 PM, Peter Dähn <[email protected]> < >>> [email protected]> wrote: >>> >>> ok.. need to think about it... ;-) >>> >>> I will be back in office next week... maybe with "THE IDEA".. or maybe >>> not... ;-) >>> >>> Greetings Peter >>> >>> Am 24.05.2017 um 11:21 schrieb Maxim Solodovnik: >>> >>> It is all discussible :) >>> >>> 3.0.7 still uses MD5CryptImplementation<https:/ >>> /github.com/apache/openmeetings/blob/3.0.x/src/util/ >>> java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> < >>> https://github.com/apache/openmeetings/blob/3.0.x/src/util/ >>> java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> >>> which >>> is not secure at all :((( >>> We can add back SHA256Implementation<https://g >>> ithub.com/apache/openmeetings/blob/3.1.x/openmeeti >>> ngs-util/src/main/java/org/apache/openmeetings/util/ >>> crypt/SHA256Implementation.java> <https://github.com/apache/ope >>> nmeetings/blob/3.1.x/openmeetings-util/src/main/java/org/ >>> apache/openmeetings/util/crypt/SHA256Implementation.java> >>> >>> ( >>> available since 3.1.x) for compatibility reasons, but I'm afraid there >>> is >>> no clean way to perform backup and preserve passwords ..... >>> >>> I thought maybe we can add "Reset All passwords" admin function, but >>> it is >>> totally insecure :( >>> Any ideas are appreciated :) >>> >>> On Wed, May 24, 2017 at 4:15 PM, Peter Dähn <[email protected]> < >>> [email protected]> wrote: >>> >>> Hi, >>> >>> >>> I think further investigation is not needed. I just didn't see it >>> before... >>> >>> Is this behavior the final state? Then it will be difficult to >>> update my >>> installation (3.0.7). This also should the problem with any >>> installation >>> before 3.3.0. Isn't it? >>> >>> Greetings Peter >>> >>> Am 24.05.2017 um 11:07 schrieb Maxim Solodovnik: >>> >>> Hello Peter, >>> >>> >>> these debug messages are OK during import (I can perform further >>> investigation, but I believe this is not an issue) >>> >>> Current 4.0.0 contains backported code from 3.3.0 which has stronger >>> Password rules ... >>> You were unable to login after restore from backup since Password >>> Crypt >>> was >>> changed to the SCrypt, which is stronger than SHA512 used before >>> >>> >>> >>> On Wed, May 24, 2017 at 3:50 PM, Peter Dähn <[email protected]> < >>> [email protected]> wrote: >>> >>> I tried to reset the password. I got following message: >>> >>> "Weak' password: at least 1 special symbol '!@#$%^&*][' is required" >>> >>> Could this be the Problem? I think this shouldn't be like that, >>> because >>> there wasn't such restriction before. >>> >>> Greetings Peter >>> >>> >>> >>> >>> Am 24.05.2017 um 10:21 schrieb Peter Dähn: >>> >>> Hi Maxim, >>> >>> I wanted to try out html5 video components... >>> >>> While importing my backup (worked before) I got a lot of these >>> messages >>> below. >>> >>> DEBUG 05-24 10:06:49.592 AuthLevelUtil.java 56867 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [GRANTED] >>> DEBUG 05-24 10:06:49.601 AuthLevelUtil.java 56876 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> DEBUG 05-24 10:06:49.609 AuthLevelUtil.java 56884 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> DEBUG 05-24 10:06:49.615 AuthLevelUtil.java 56890 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> DEBUG 05-24 10:06:49.622 AuthLevelUtil.java 56897 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> DEBUG 05-24 10:06:49.629 AuthLevelUtil.java 56904 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> DEBUG 05-24 10:06:49.636 AuthLevelUtil.java 56911 40 >>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>> Login :: >>> [DENIED] >>> >>> I never noticed these ones before. After starting the server, I >>> couldn't >>> login with my admin user. "Username/email and/or password are >>> incorrect." >>> >>> Any Ideas? >>> >>> Greetings Peter >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> B.Sc. Peter Dähn >>> Virtueller Campus Rheinland-Pfalz <http://www.vcrp.de/> >>> Postfach 3049 >>> 67653 Kaiserslautern >>> Tel: 0631/205-4944 >>> Olat <https://olat.vcrp.de/> >>> >>> >> >> >> > -- > B.Sc. Peter Dähn > Virtueller Campus Rheinland-Pfalz <http://www.vcrp.de/> > Postfach 3049 > 67653 Kaiserslautern > Tel: 0631/205-4944 > Olat <https://olat.vcrp.de/> > -- WBR Maxim aka solomax
