User story #16620
closed
Add a command to generate user accounts after installation
Description
We should not open the server with a default password after installation.
It leaves an open window for compromising the server before password change, and we regularly see Rudder servers in the wild with default passwords. It should not be the default behavior.
We should display the password in install output and document how to set it automatically for automated installs.
Updated by Benoît PECCATTE about 4 years ago
- Status changed from New to In progress
- Assignee set to Benoît PECCATTE
Updated by Benoît PECCATTE about 4 years ago
- Status changed from In progress to New
- Assignee deleted (
Benoît PECCATTE)
Updated by Alexis Mousset about 4 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset about 4 years ago
- Status changed from In progress to New
- Assignee deleted (
Alexis Mousset) - Private changed from Yes to No
Updated by Alexis Mousset about 4 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset about 4 years ago
passwd=$(dd if=/dev/urandom count=128 bs=1 2>/dev/null | base64 -w0 | cut -b-20) hash=$(htpasswd -nbBC 12 "" "$passwd" | tr -d ':\n')
Updated by Vincent MEMBRÉ about 4 years ago
- Target version changed from 6.0.3 to 6.0.4
Updated by Vincent MEMBRÉ about 4 years ago
- Target version changed from 6.0.4 to 6.0.5
Updated by Alexis Mousset about 4 years ago
- Related to User story #16732: It should be impossible to connect with "admin" password with default config added
Updated by François ARMAND about 4 years ago
- Related to User story #17070: Display a warning in place of login form if no user are defined added
Updated by François ARMAND about 4 years ago
- Priority changed from 122 to 120
Actually, generating password during installation is just too error prone. There is a lot of risks, like password ending in logs, and most likely user won't see/copy/etc it (lost in the middle of log, and even if we successfully make it appears in last position, a lot of people just don't read installation logs).
So, we will do:
- create a command "rudder server init-roor-admin" that only create an admin user with the admin rights and given password (that ticket will do that),
- don't create and admin user in rudder-users.xml file at all during installation. Of course, it doesn't change anything for cases where that file already exists, like for rudder upgrade, and if you want to have predefined user with known password you can just pre-create that file or override it after installation (#16732),
- warn on login page if no user are defined and point to documentation about how to do that (#17070).
We wonder if it would be nice to have a form on fisrt connexion that just let you fill admin login/password, but we are not sure about the idea of letting anybody define a root user if for some reason rudder-users.xml got erased.
Updated by François ARMAND about 4 years ago
- Target version changed from 6.0.5 to 6.1.0~beta1
- Priority changed from 120 to 60
Updated by François ARMAND about 4 years ago
- Effort required deleted (
Very Small) - Priority changed from 60 to 46
Updated by Alexis Mousset about 4 years ago
- Subject changed from Generate a random password during installation for admin account to Add a command to generate user accounts after installation
Updated by Alexis Mousset about 4 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-agent/pull/293
Updated by Alexis Mousset about 4 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-agent|c0ef3fbe5bd76b31ee8076c973f3ff40f43143f3.
Updated by François ARMAND almost 4 years ago
- Tracker changed from Bug to User story
- Severity deleted (
Critical - prevents main use of Rudder | no workaround | data loss | security) - Priority deleted (
46)
Updated by Vincent MEMBRÉ almost 4 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.0~beta1 which was released today.
Updated by Félix DALLIDET almost 4 years ago
- Fix check changed from To do to Checked