Harry Hoffman wrote:
root password hash is a bad idea! cobbler doesn't really protect
those
directories and if the errant badguy would able to download the hash
they might be able to get the password through rainbow tables or brute
force.
what we do for our local users is use apg to create a default new
password. We drop the plaintext version of this in their homedir and
ensure it's chmod 600 chown user.user
something along these lines might be a bit better.
Cheers,
Harry
We could perhaps generate one on an install by install basis (using the
magic of Cheetah), but we also then need to store that in cobbler in a
way that is retrievable by the admin so they can know it if they need to
log in. Cobbler's storage is read-only for this, so that is suboptimal.
Of course a user can, if they so wish, modify the password in %post.
It's hard to pick something that is good for everyone that still works
cleanly for fully automated installs without a lot of extra setup and
confusion. So right now the docs say "run cobbler check" and that will
warn you about the default.
Naturally the passwords are readable, but it's a hash, and there is a
well known tradeoff between the ability to automate a deployment that is
administerable and the security of that deployment. Files deployed are
by their very nature public, but if the user wants to scramble passwords
in %post, that's fair game.
However apg is not in RHEL.
If we were to tighten permissions on Cobbler state files and make it
impossible to retrieve the password stored in cobbler via XMLRPC, we
could do per-system root password generation as an option, though that's
a pretty major RFE that we'd probably need to look at for 1.4
Much of this is more of a documentation item as each site will have
their own preferences.
--Michael
On Thu, 2008-10-16 at 19:41 +0200, Javier Palacios wrote:
>> A future idea for /usr/bin/cobbler setup is probably to ask the user
>> what they want the default password for the sample kickstarts to be and
>> then add that to the sample kickstarts.
>>
> Ask for password does not match well with rpm install.
> What about just take the hash from /etc/shadow from an existing user?
> (either a cobbler user or simply root)
>
> JaviP
> _______________________________________________
> cobbler mailing list
> cobbler(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/cobbler
>
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler