Rich,
we reacted to this by giving the site managers a recipe to fix this
problem. This
is a simple change and the site admins should do this.
In the next release we will change the default template and follow
Steve Traylen's
suggestion to include strong encryption and in addition keep the
crypted pwds
out of CVS.
markus
p.s . The proposed solution
All site managers create a file named, e.g., private-cfg.h which is NOT
checked in the CVS repository. In this file they copy the root password
setting line from local-cfg.h (I mean the line which goes "+auth.rootpwd
hnd78fa8976y").
Then they edit the local-cfg.h file and replace the auth.rootpwd line
with:
#include "private-cfg.h"
After that they can check the new local-cfg.h file in CVS.
On Wednesday, Nov 12, 2003, at 14:19 Europe/Zurich, Rich Baker wrote:
> I am copying this note to the LCG security working
> group which is the correct forum for assessing the
> impact of this problem and for recommending the best
> corrective course.
>
> Summary: Several passwords including root and user
> passwords for LCG nodes have been stored in publicly
> visible CVS repositories with relatively weak encryption.
> There is no known actual compromise, but exposed root
> passwords are generally not a good idea...
>
> Rich Baker
>
> Emanuele LEONARDI wrote:
>
>> Hi Gergo.
>> Yes, your remark is indeed correct. We had some discussion about this
>> in
>> the past but left the issue for the future.
>> As, as you say, we are now quite visible, we should start caring more
>> about this issues. Here is my proposal:
>> All site managers create a file named, e.g., private-cfg.h which is
>> NOT
>> checked in the CVS repository. In this file they copy the root
>> password
>> setting line from local-cfg.h (I mean the line which goes
>> "+auth.rootpwd
>> hnd78fa8976y").
>> Then they edit the local-cfg.h file and replace the auth.rootpwd line
>> with:
>> #include "private-cfg.h"
>> After that they can check the new local-cfg.h file in CVS.
>> If anybody has comments or other proposal on this issue, please let
>> me know.
>> Cheers
>> Emanuele
>> Debreczeni Gergely wrote:
>>> Hi,
>>>
>>> Just a proposal:
>>> Since google search "lcg cvs" gives out the cvs
>>> reprository as the first entry, it is very
>>> easy to find node config files...
>>>
>>> ! I would recommend not to store the root and user passwords in CVS !
>>>
>>> It took me only 3 ours (on a AMD ATHLON 2000+) to decrypt a 5 letter
>>> long
>>> passwd which contains capital letters and numbers...
>>> A 6 letter long would take 211 ours ... but I have 50 processors
>>> ;-))))
>>>
>>> cheers
>>> Gergo
>>>
>>>
>>> --
>> -- /------------------- Emanuele Leonardi -------------------\
>> | eMail: [log in to unmask] - Tel.: +41-22-7674066 |
>> | IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
>> \---------------------------------------------------------/
>
>
************************************************************************
*******
Markus Schulz
CERN IT
|