Hi,
Erlang has builtin distribution, which is secured by a secret cookie.
There have been some discussion about the possibility of brute-forcing this
cookie.
Looking at the cookie generation code we are the opinion that there is not
enough entropy.
That is why we advise strongly to use a different cookie than the one
generated by Erlang.
For this we have a simple script that you might run from the Zotonic/Erlang
shell.
The script replaces the content of the “.erlang.cookie” file in the Zotonic home
directory and then sets the cookie of the running system to the newly generated
cookie.
First connect with your Erlang shell:
$ bin/zotonic shell
Then run the following (assuming you have a UNIX alike system):
begin
Cookie = base64:encode(crypto:strong_rand_bytes(30)),
F = filename:join(os:getenv("HOME"), ".erlang.cookie"),
CurrCookie = atom_to_binary(erlang:get_cookie(), utf8),
{ok, CurrCookie} = file:read_file(F),
ok = file:change_mode(F, 8#600),
ok = file:write_file(F, Cookie),
erlang:set_cookie(node(), binary_to_atom(Cookie, utf8)),
ok = file:change_mode(F, 8#400),
binary_to_atom(Cookie, utf8)
end.
If the above doesn’t work, then you can do it manually:
1. Find the “.erlang.cookie” file in your Zotonic home directory.
2. Stop Zotonic
3. Replace the contents of the file
4. Start Zotonic.
Kind regards,
Marc
--
---
You received this message because you are subscribed to the Google Groups
"Zotonic developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to zotonic-developers+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
