Hey!
On 10/29/14, Luis Falcon wrote:
> Hi team
>
> I have created a basic python script ("serverpass.py"), that allows to
> generate or update the Tryton master password, and validate it against
> cracklib[1].
>
> The goal is to harden the security, as well as to facilitate its
> generation without editing manually the configuration file.
>
> It's done for GNU Health. Starting GNU Health 2.8, it will be called in
> the standard installation program (gnuhealth_install.sh), but it is
> also a stand-alone program, to update the password
>
> You can check the latest version at the GNU Health mercurial
> repository[2], in the default branch, browsing under
> "tryton/scripts/security" directory .
>
> I hope it can be useful to general Tryton installations, so I'm copying
> it to tryton-contrib list. It's just starting, so expect
> bugs, backup your configuration file, and don't use it in production
> environments yet :)
>
> Next should be checking for bad passwords at user level.
>
> Suggestions are most welcome.
I think it's a good start. Another angle is a blacklist of disallowed
passwords and roots. Dictionary attacks are powerful. Add some brute
force limiting, and that's probably good enough until we add something
more. (e.g., two-factor, etc.) I'll have to cross that bridge on the
FHIR server eventually, too.
-C
