[reSIProcate-users] web admin security change
Now that I've got your attention...
The parameter HttpAdminPassword has been abolished as of 1.9.0~rc1 (to
be announced in a moment)
Previously, this parameter would create a user called "admin" in the
database. This user would be invisible in the web-based user list.
Now, the user is visible but it is not used any more. So please just
delete the user with the name "admin@"
Instead, you now have to specify two new parameters:
# Realm to use for HTTP admin interface digest authentication
HttpAdminRealm = repro
# File containing user/password details
HttpAdminUserFile = users.txt
and then generate a users.txt file using the "htdigest" utility from
Apache or just using something like this:
USER=admin
REALM=repro (must match HttpAdminRealm, very important!)
PASS=foobar
HA1=`echo -n ${USER}:${REALM}:${PASS} | md5sum`
echo ${USER}:${REALM}:${HA1} >> /etc/repro/users.txt
Benefits of this change:
- no more hidden user in the database
- no more plain text password in the config (so you can commit the
config to a repository like Git or SVN)
- realm stored with the username, so we can implement proper HTTP DIGEST
eventually
- multiple users can potentially be supported in future (now it is still
just one user)
- you can share the users.txt file between multiple repro instances on
the same box, it can also be shared with Apache web server as it is the
same format