Hello Peter, I have implemented #3 http://git-wip-us.apache.org/repos/asf/openmeetings/diff/156bcc79 The only difference: Password re-hashing is not being emailed but logged with WARN level
Would appreciate if you can test it and let me know your thoughts :) Build 36+ from here: https://builds.apache.org/view/M-R/view/OpenMeetings/job/Openmeetings%203.3.x/ On Fri, Jun 16, 2017 at 2:43 PM, Maxim Solodovnik <[email protected]> wrote: > Both external and LDAP users would not be affected > > Will try to implement 3) as you have described, looks doable :) > Thanks! > > On Fri, Jun 16, 2017 at 2:34 PM, Peter Dähn <[email protected]> wrote: > >> Hi Maxim, >> >> We have a lot external user in our system and just a few "real" user. Am >> I right that this doesn't apply to external user or does this case also be >> handled? >> >> 1 and 2 wouldn't be my favorites. >> >> I would prefer 3 and has an alternative if 3 isn't possible. >> >> 3) We hat a similar change in our system. They did it in the following >> way. >> >> - user login -> check password with sha256 >> - if this doesn't match check password against md5 >> - if this match store sha256-hash for further logins and send an >> e-mail to that user "Rewrote password for security-reasons. If you didin't >> login right now, inform your system-admin" or something like that. >> - if both hashes doesn't match deny login. >> >> This would be the most user-friendly way I think. >> >> 4) Alternatively one could reset all passwords and if a user try to login >> with empty password one get a popup "Your password need to renewed. You got >> an e-mail". The system sends an e-mail with a link to create a new password. >> >> This are out ideas so far. >> >> Greetings Peter >> >> >> Am 14.06.2017 um 09:07 schrieb Maxim Solodovnik: >> >>> Sure, have to fix some issues >>> Will try to finish everything until next week-end :) >>> So no rush right now :) >>> >>> My ideas were: >>> 1) Add Admin function "reset all passwords" (not sure how users should be >>> notified on new password in this case) >>> 2) Add Admin function: "Email all users" general email "Please reset your >>> passwords" will be sent to all users >>> 3) Allow login with old password and require user to change it, possible >>> but seems to be tricky >>> >>> Will wait for the results of your discussion :) >>> >>> On Wed, Jun 14, 2017 at 2:00 PM, Peter Dähn <[email protected]> wrote: >>> >>> Hi Maxim, >>>> >>>> you are right, this point is left.... >>>> I think I try to discuss this with a colleague of mine. Maybe we get an >>>> idea... >>>> >>>> Back later the or most likely on Friday. I hope this is on time. >>>> >>>> Greetings Peter >>>> >>>> >>>> Am 14.06.2017 um 07:43 schrieb Maxim Solodovnik: >>>> >>>> Thanks a lot Peter, >>>> >>>> Now I'm back and ready to help :) >>>> >>>> Would appreciate to hear any thought regarding "soft" changing of >>>> password >>>> hash function >>>> >>>> On Mon, Jun 12, 2017 at 6:40 PM, Peter Dähn <[email protected]> < >>>> [email protected]> wrote: >>>> >>>> >>>> so.. now it is time I think... >>>> >>>> Congratulations! I hope you had a nice wedding and a few relaxing >>>> days... >>>> >>>> Greetings Peter >>>> >>>> >>>> Am 24.05.2017 um 12:03 schrieb Peter Dähn: >>>> >>>> >>>> ok.. then good luck... >>>> >>>> and best wishes when you are back... ;-) >>>> >>>> >>>> >>>> Am 24.05.2017 um 11:57 schrieb Maxim Solodovnik: >>>> >>>> >>>> Thanks :) >>>> >>>> I'll be on vacation for the next 2 weeks, with rare access to the email >>>> from my phone, so no rush :) >>>> >>>> On Wed, May 24, 2017 at 4:55 PM, Peter Dähn <[email protected]> < >>>> [email protected]> wrote: >>>> >>>> ok.. need to think about it... ;-) >>>> >>>> I will be back in office next week... maybe with "THE IDEA".. or maybe >>>> not... ;-) >>>> >>>> Greetings Peter >>>> >>>> Am 24.05.2017 um 11:21 schrieb Maxim Solodovnik: >>>> >>>> It is all discussible :) >>>> >>>> 3.0.7 still uses MD5CryptImplementation<https:/ >>>> /github.com/apache/openmeetings/blob/3.0.x/src/util/ >>>> java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> < >>>> https://github.com/apache/openmeetings/blob/3.0.x/src/util/ >>>> java/org/apache/openmeetings/util/crypt/MD5CryptImplementation.java> >>>> which >>>> is not secure at all :((( >>>> We can add back SHA256Implementation<https://g >>>> ithub.com/apache/openmeetings/blob/3.1.x/openmeeti >>>> ngs-util/src/main/java/org/apache/openmeetings/util/ >>>> crypt/SHA256Implementation.java> <https://github.com/apache/ope >>>> nmeetings/blob/3.1.x/openmeetings-util/src/main/java/org/apa >>>> che/openmeetings/util/crypt/SHA256Implementation.java> >>>> >>>> ( >>>> available since 3.1.x) for compatibility reasons, but I'm afraid there >>>> is >>>> no clean way to perform backup and preserve passwords ..... >>>> >>>> I thought maybe we can add "Reset All passwords" admin function, but >>>> it is >>>> totally insecure :( >>>> Any ideas are appreciated :) >>>> >>>> On Wed, May 24, 2017 at 4:15 PM, Peter Dähn <[email protected]> < >>>> [email protected]> wrote: >>>> >>>> Hi, >>>> >>>> >>>> I think further investigation is not needed. I just didn't see it >>>> before... >>>> >>>> Is this behavior the final state? Then it will be difficult to >>>> update my >>>> installation (3.0.7). This also should the problem with any >>>> installation >>>> before 3.3.0. Isn't it? >>>> >>>> Greetings Peter >>>> >>>> Am 24.05.2017 um 11:07 schrieb Maxim Solodovnik: >>>> >>>> Hello Peter, >>>> >>>> >>>> these debug messages are OK during import (I can perform further >>>> investigation, but I believe this is not an issue) >>>> >>>> Current 4.0.0 contains backported code from 3.3.0 which has stronger >>>> Password rules ... >>>> You were unable to login after restore from backup since Password >>>> Crypt >>>> was >>>> changed to the SCrypt, which is stronger than SHA512 used before >>>> >>>> >>>> >>>> On Wed, May 24, 2017 at 3:50 PM, Peter Dähn <[email protected]> < >>>> [email protected]> wrote: >>>> >>>> I tried to reset the password. I got following message: >>>> >>>> "Weak' password: at least 1 special symbol '!@#$%^&*][' is required" >>>> >>>> Could this be the Problem? I think this shouldn't be like that, >>>> because >>>> there wasn't such restriction before. >>>> >>>> Greetings Peter >>>> >>>> >>>> >>>> >>>> Am 24.05.2017 um 10:21 schrieb Peter Dähn: >>>> >>>> Hi Maxim, >>>> >>>> I wanted to try out html5 video components... >>>> >>>> While importing my backup (worked before) I got a lot of these >>>> messages >>>> below. >>>> >>>> DEBUG 05-24 10:06:49.592 AuthLevelUtil.java 56867 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [GRANTED] >>>> DEBUG 05-24 10:06:49.601 AuthLevelUtil.java 56876 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.609 AuthLevelUtil.java 56884 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.615 AuthLevelUtil.java 56890 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.622 AuthLevelUtil.java 56897 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.629 AuthLevelUtil.java 56904 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> DEBUG 05-24 10:06:49.636 AuthLevelUtil.java 56911 40 >>>> org.apache.openmeetings.db.util.AuthLevelUtil [main] - Level >>>> Login :: >>>> [DENIED] >>>> >>>> I never noticed these ones before. After starting the server, I >>>> couldn't >>>> login with my admin user. "Username/email and/or password are >>>> incorrect." >>>> >>>> Any Ideas? >>>> >>>> Greetings Peter >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> B.Sc. Peter Dähn >>>> Virtueller Campus Rheinland-Pfalz <http://www.vcrp.de/> >>>> Postfach 3049 >>>> 67653 Kaiserslautern >>>> Tel: 0631/205-4944 >>>> Olat <https://olat.vcrp.de/> >>>> >>>> >>> >>> >>> >> -- >> B.Sc. Peter Dähn >> Virtueller Campus Rheinland-Pfalz <http://www.vcrp.de/> >> Postfach 3049 >> 67653 Kaiserslautern >> Tel: 0631/205-4944 >> Olat <https://olat.vcrp.de/> >> > > > > -- > WBR > Maxim aka solomax > -- WBR Maxim aka solomax
