From 4152dca09e6a7d9b0da81cb5ac6f76e8f05d2a23 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 29 May 2008 15:17:19 -0400 Subject: documentation for use of hashed passwords Everything but the actual coding to support them. --- debian/NEWS | 12 +++++++++++- debian/changelog | 9 +++++++++ debian/control | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/NEWS b/debian/NEWS index 9dd93c85e..086798750 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +ikiwiki (2.48) unstable; urgency=low + + If you allowed password based logins to your wiki, those passwords were + stored in cleartext in the userdb. To guard against exposing users' + passwords, I recommend you install the Authen::Passphrase perl module, and + then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all + existing cleartext passwords with strong (blowfish) hashes. + + -- Joey Hess Thu, 29 May 2008 14:39:34 -0400 + ikiwiki (2.46) unstable; urgency=low There were some significant template changes in ikiwiki 2.42 (and 1.33.5). @@ -89,7 +99,7 @@ ikiwiki (2.14) unstable; urgency=low This version of ikiwiki is more picky about symlinks in the path leading to the srcdir, and will refuse to use a srcdir specified by such a path. - This was necessary to avoid some potential exploits, but could potentially + This was necessary to avoid some potential exploits, but could potentially break (semi-)working wikis. If your wiki has a srcdir path containing a symlink, you should change it to use a path that does not. diff --git a/debian/changelog b/debian/changelog index 1d9f18320..fb448e7dd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl 5.8 needs this to avoid crashing on malformed utf-8, despite its docs saying it is the default. + * passwordauth: If Authen::Passphrase is installed, use it to store + password hashes, crypted with Eksblowfish. + * Existing cleartext passwords in the userdb will be automatically hashed + (if Authen::Passphrase is installed) the next time a user logs in. + Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force + a conversion. + * Passwords will no longer be mailed, but instead a password reset link + mailed. + * The password_cost config setting is provided as a "more security" knob. -- Joey Hess Wed, 28 May 2008 03:07:37 -0400 diff --git a/debian/control b/debian/control index 3bd14a526..b71cbed6f 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki Package: ikiwiki Architecture: all Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl -Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl +Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl Conflicts: ikiwiki-plugin-table Replaces: ikiwiki-plugin-table -- cgit v1.2.3