[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvas-cvs
Subject:    [Openvas-commits] r3217 - trunk/doc/website
From:       scm-commit () wald ! intevation ! org
Date:       2009-04-29 13:30:23
Message-ID: 20090429133023.9341240839 () pyrosoma ! intevation ! org
[Download RAW message or body]

Author: mwiegand
Date: 2009-04-29 15:30:21 +0200 (Wed, 29 Apr 2009)
New Revision: 3217

Added:
   trunk/doc/website/openvas-cr-31.htm4
Modified:
   trunk/doc/website/openvas-crs.htm4
Log:
Added and linked Change Request #31.


Added: trunk/doc/website/openvas-cr-31.htm4
===================================================================
--- trunk/doc/website/openvas-cr-31.htm4	2009-04-29 11:59:07 UTC (rev 3216)
+++ trunk/doc/website/openvas-cr-31.htm4	2009-04-29 13:30:21 UTC (rev 3217)
@@ -0,0 +1,143 @@
+m4_dnl -*-html-*-
+m4_include(`template.m4')
+
+m4_dnl OpenVAS
+m4_dnl $Id$
+m4_dnl Description: OpenVAS Change Request #31
+m4_dnl
+m4_dnl Authors:
+m4_dnl Michael Wiegand <michael.wiegand@intevation.de>
+m4_dnl
+m4_dnl Copyright:
+m4_dnl Copyright (C) 2009 Intevation GmbH
+m4_dnl
+m4_dnl This program is free software; you can redistribute it and/or modify
+m4_dnl it under the terms of the GNU General Public License version 2,
+m4_dnl as published by the Free Software Foundation.
+m4_dnl
+m4_dnl This program is distributed in the hope that it will be useful,
+m4_dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+m4_dnl GNU General Public License for more details.
+m4_dnl
+m4_dnl You should have received a copy of the GNU General Public License
+m4_dnl along with this program; if not, write to the Free Software
+m4_dnl Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+
+
+PAGE_START
+<h2>OpenVAS Change Request #31: OpenVAS-Server: Remove support for plaintext \
password storage</h2> +
+<p>
+Status: In discussion.
+</p>
+
+<h3>Purpose</h3>
+
+<p>
+To ensure OpenVAS user passwords are not accidentally disclosed.
+</p>
+
+<h3>References</h3>
+
+<p>
+(none)
+</p>
+
+<h3>Rationale</h3>
+
+<p>
+New OpenVAS users are currently created by the server administrator using the
+openvas-adduser script shipped with openvas-server. The user password is
+currently stored using two 128-bit checksums produced by the MD5 message digest
+algorithm (for details see openvas-adduser.in) to ensure that even if the file
+containing the stored passwords is obtained by a malicious individual, it will
+not be trivial to derive the password needed to access the OpenVAS server from
+the information contained in this file.
+</p>
+
+<p>
+openvas-adduser first tries to use the command "openssl md5" command to produce
+MD5 checksums. If this fails, it will try the "md5sum" command. If neither
+command is available in the current path or in the directories searched by
+openvas-adduser, the script will continue to run, but will store the user
+password in plaintext in case password authentication is chosen without
+informing the server administrator that the password will be stored in
+plaintext.
+</p>
+
+<p>
+The openvas-server process (openvasd) currently supports this authentication
+mechanism as a last resort in case the file containing the hashed password
+cannot be opened.
+</p>
+
+<p>
+The behaviour described above was inherited from Nessus. This issue will
+only manifest itself if neither "openssl" nor "md5sum" is available during user
+creation. Since the "openssl" executable is necessary during server certificate
+creation (which usually happens before user creation) and the "md5sum"
+executable is an integral part of most (if not all) modern distributions,
+plaintext password storage is unlikely to occur under most circumstances, but
+may manifest itself under certain circumstances, for example when user creation
+happens in a chrooted environment where neither openssl nor md5sum is made
+available to the script.
+</p>
+
+<p>
+Nevertheless, plaintext password storage is usually not considered appropriate,
+especially for security applications. The lack of user feedback when MD5
+algorithms are not available is also unfortunate, since the server administrator
+will most likely assume that the password is stored in an encrypted form.
+</p>
+
+<p>
+This change request proposes removing the plaintext password storage mechanism
+as described under "Design and Implementation" by first removing the capability
+from openvas-adduser and then phasing out the support in openvas-server.
+</p>
+
+<h3>Effects</h3>
+
+<p>
+Once the plaintext password storage capability has been removed from
+openvas-adduser, it will no longer be possible to create users with password
+authentication if no MD5 algorithm is available. The script will fail if this is
+attempted.
+</p>
+
+<p>
+In order to stay compatible with installations where a plaintext password storage
+may have occurred, openvas-server will (for a time) continue to support this
+authentication mechanism, but will complain (loudly) whenever it encounters a
+plaintext password file.
+</p>
+
+<p>
+After a certain time, support for plaintext password storage will be removed
+from openvas-server. A script will be made available to convert existing users
+to an encrypted password storage.
+</p>
+
+<h3>Design and Implementation</h3>
+
+<p>
+<b>openvas-adduser.in</b>: (Line 103) The behaviour for cases where no MD5
+algorithm can be found will be changed so that openvas-adduser exits under these
+circumstances. (Line 305) The command for writing plaintext password files will
+be removed.
+</p>
+
+<p>
+<b>openvasd/users.c</b> (check_user): As a first step, openvasd will write a
+log message whenever it encounters a plaintext password file. Ultimately,
+openvasd will refuse logins by users without either a certificate or a password
+stored in a secure fashion.
+</p>
+
+<h3>History</h3>
+
+<ul>
+<li> 2009-04-29 Michael Wiegand &lt;michael.wiegand@intevation.de&gt;:<br>
+     Initial text.</li>
+</ul>

Modified: trunk/doc/website/openvas-crs.htm4
===================================================================
--- trunk/doc/website/openvas-crs.htm4	2009-04-29 11:59:07 UTC (rev 3216)
+++ trunk/doc/website/openvas-crs.htm4	2009-04-29 13:30:21 UTC (rev 3217)
@@ -74,6 +74,7 @@
 <li> <a href="openvas-cr-28.html">OpenVAS Change Request #28: OpenVAS Management \
Protocol (OMP)</a> (in discussion)  <li> <a href="openvas-cr-29.html">OpenVAS Change \
Request #29: OpenVAS Unified Logging</a> (in discussion)  <li> <a \
href="openvas-cr-30.html">OpenVAS Change Request #30: OpenVAS Configuration \
Management Protocol (OMP)</a> (in discussion) +<li> <a \
href="openvas-cr-31.html">OpenVAS Change Request #31: OpenVAS-Server: Remove support \
for plaintext password storage</a> (in discussion)  </ul>
 
 <h3>How to write a change request</h3>

_______________________________________________
Openvas-commits mailing list
Openvas-commits@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-commits


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic