documentation for use of hashed passwords

Everything but the actual coding to support them.

3 files changed, 21 insertions, 2 deletions

diff --git a/debian/NEWS b/debian/NEWS
index 9dd93c85e..086798750 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+ikiwiki (2.48) unstable; urgency=low
+
+  If you allowed password based logins to your wiki, those passwords were
+  stored in cleartext in the userdb. To guard against exposing users'
+  passwords, I recommend you install the Authen::Passphrase perl module, and
+  then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
+  existing cleartext passwords with strong (blowfish) hashes.
+
+ -- Joey Hess <joeyh@debian.org>  Thu, 29 May 2008 14:39:34 -0400
+
 ikiwiki (2.46) unstable; urgency=low
  
   There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
@@ -89,7 +99,7 @@ ikiwiki (2.14) unstable; urgency=low
 
   This version of ikiwiki is more picky about symlinks in the path leading
   to the srcdir, and will refuse to use a srcdir specified by such a path.
-  This  was necessary to avoid some potential exploits, but could potentially
+  This was necessary to avoid some potential exploits, but could potentially
   break (semi-)working wikis. If your wiki has a srcdir path containing a
   symlink, you should change it to use a path that does not.
 
diff --git a/debian/changelog b/debian/changelog
index 1d9f18320..fb448e7dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low
     explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
     5.8 needs this to avoid crashing on malformed utf-8, despite its docs
     saying it is the default.
+  * passwordauth: If Authen::Passphrase is installed, use it to store
+    password hashes, crypted with Eksblowfish.
+  * Existing cleartext passwords in the userdb will be automatically hashed
+    (if Authen::Passphrase is installed) the next time a user logs in.
+    Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force
+    a conversion.
+  * Passwords will no longer be mailed, but instead a password reset link
+    mailed.
+  * The password_cost config setting is provided as a "more security" knob.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 28 May 2008 03:07:37 -0400
 
diff --git a/debian/control b/debian/control
index 3bd14a526..b71cbed6f 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki
 Package: ikiwiki
 Architecture: all
 Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
-Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl
+Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl
 Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
 Conflicts: ikiwiki-plugin-table
 Replaces: ikiwiki-plugin-table