[Openvas-commits] r3317 - in trunk/openvas-server: . doc openvasd

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon May 11 11:05:30 CEST 2009 

Author: mwiegand
Date: 2009-05-11 11:05:29 +0200 (Mon, 11 May 2009)
New Revision: 3317

Modified:
   trunk/openvas-server/ChangeLog
   trunk/openvas-server/doc/openvas-adduser.8
   trunk/openvas-server/openvas-adduser.in
   trunk/openvas-server/openvasd/users.c
Log:
Implementing the first part of Change Request #31: Remove support for
plaintext password storage (http://www.openvas.org/openvas-cr-31.html).

* openvasd/users.c (check_user): openvasd will now display a warning
message on both stderr and the logfile when it encounters a password
stored in plaintext.

* openvas-adduser.in: Adding users without a working md5 algorithm is no
longer possible. Added an exit 1 in case no algorithm is found, removed
now obsolete reference to plaintext storage when storing credentials.

* doc/openvas-adduser.8: Updated, removed obsolete parts.


Modified: trunk/openvas-server/ChangeLog
===================================================================
--- trunk/openvas-server/ChangeLog	2009-05-11 08:34:39 UTC (rev 3316)
+++ trunk/openvas-server/ChangeLog	2009-05-11 09:05:29 UTC (rev 3317)
@@ -1,3 +1,18 @@
+2009-05-11  Michael Wiegand <michael.wiegand at intevation.de>
+
+	Implementing the first part of Change Request #31: Remove support for
+	plaintext password storage (http://www.openvas.org/openvas-cr-31.html).
+
+	* openvasd/users.c (check_user): openvasd will now display a warning
+	message on both stderr and the logfile when it encounters a password
+	stored in plaintext.
+
+	* openvas-adduser.in: Adding users without a working md5 algorithm is no
+	longer possible. Added an exit 1 in case no algorithm is found, removed
+	now obsolete reference to plaintext storage when storing credentials.
+
+	* doc/openvas-adduser.8: Updated, removed obsolete parts.
+
 2009-05-05  Jan Wagner <waja at cyconet.org>
 
 	* packaging/debian/changelog: reengineered Michaels changes :P

Modified: trunk/openvas-server/doc/openvas-adduser.8
===================================================================
--- trunk/openvas-server/doc/openvas-adduser.8	2009-05-11 08:34:39 UTC (rev 3316)
+++ trunk/openvas-server/doc/openvas-adduser.8	2009-05-11 09:05:29 UTC (rev 3317)
@@ -1,4 +1,4 @@
-.TH OpenVAS-ADDUSER 8 "April 2000" "The OpenVAS Project" "User Manuals"
+.TH OpenVAS-ADDUSER 8 "May 2009" "The OpenVAS Project" "User Manuals"
 .SH NAME
 openvas-adduser \- add a user in the openvasd userbase
 .sp
@@ -17,11 +17,9 @@
 each user has.
 
 .B openvas-adduser
-is a simple program which will add a user in the proper 
+is a simple program which will add a user to the
 .B openvasd
-configuration files, and will send a signal to 
-.B openvasd
-if it is running to notify it of the changes.
+userbase.
 
 The program is straightforward and asks for the following items:
 .IP "\(bu Login"
@@ -33,14 +31,6 @@
 the password that the user will use to connect to 
 .B openvasd
 
-.IP "\(bu Authentification type"
-the authentification method the client will use. The recommended
-method is \*(lqcipher\*(rq. However, if you compiled 
-.B openvasd 
-without the 
-cipher support or if you are using a OpenVAS client which does not
-support the cipher layer, you'll have to use \*(lqplaintext\*(rq
-
 .IP "\(bu Rules"
 the set of rules to apply to the user. See below.
 
@@ -105,7 +95,7 @@
 .RE
 
 .SH SEE ALSO
-.BR openvas-rmuser (8),\  openvasd (8),\  openvas (1)
+.BR openvas-rmuser (8),\  openvasd (8)
 
 .SH MORE INFORMATION ABOUT THE OpenVAS PROJECT
 The canonical places where you will find more information 
@@ -115,11 +105,6 @@
 http://www.openvas.org/
 .UE
 (Official site)
-.br
-.UR
-http://cvs.openvas.org
-.UE
-(Developers site)
 .RE
    
 

Modified: trunk/openvas-server/openvas-adduser.in
===================================================================
--- trunk/openvas-server/openvas-adduser.in	2009-05-11 08:34:39 UTC (rev 3316)
+++ trunk/openvas-server/openvas-adduser.in	2009-05-11 09:05:29 UTC (rev 3317)
@@ -100,7 +100,9 @@
       "$X" = "401B30E3B8B5D629635A5C613CDB7919" ]; then
   MD5CMD=md5sum
  else
-  MD5CMD=""
+  gettext "No MD5 algorithm found in the current path!"; echo
+  gettext "Please make sure either openssl or md5sum is available!"; echo
+  exit 1
  fi
 fi
 
@@ -293,7 +295,6 @@
 chmod 0700 "$localstatedir/lib/openvas/users/$login/auth"
 
 if [ "$auth" = "pass" ]; then
-    if [ "$MD5CMD" ]; then
     	test -c /dev/urandom &&
 	{
 	URANDOM=`dd if=/dev/urandom bs=16 count=16 2>/dev/null|$MD5CMD`
@@ -301,9 +302,6 @@
 	SEED=`(echo $SEED; date; df; ls -l; echo $URANDOM) | $MD5CMD | awk '{print $1}'`
 	H=`echo $Xn $SEED$password$Xc | $MD5CMD | awk '{print $1}'`
 	echo $H $SEED > "$localstatedir/lib/openvas/users/$login/auth/hash"
-    else
-	echo "$password" > "$localstatedir/lib/openvas/users/$login/auth/password"
-    fi
 elif [ "$auth" = "cert" ]; then
 	echo "$dn" > "$localstatedir/lib/openvas/users/$login/auth/dname"
 fi

Modified: trunk/openvas-server/openvasd/users.c
===================================================================
--- trunk/openvas-server/openvasd/users.c	2009-05-11 08:34:39 UTC (rev 3316)
+++ trunk/openvas-server/openvasd/users.c	2009-05-11 09:05:29 UTC (rev 3317)
@@ -268,6 +268,26 @@
    if ((f = fopen(fname, "r")) == NULL)
      return BAD_LOGIN_ATTEMPT;
    
+   fprintf (stderr, "\n===========================================================\n");
+   fprintf (stderr, "WARNING! Plaintext password found in:\n");
+   fprintf (stderr, "  %s\n", fname);
+   fprintf (stderr, "The account for user \"%s\" may have been compromised!\n", user);
+   fprintf (stderr, "Please create a new account with openvas-adduser and\n");
+   fprintf (stderr, "delete this account!\n");
+   fprintf (stderr, "Support for passwords stored in plaintext will be\n");
+   fprintf (stderr, "removed in the next openvas-server release!");
+   fprintf (stderr, "\n===========================================================\n");
+
+   log_write ("\n===========================================================\n");
+   log_write ("WARNING! Plaintext password found in:\n");
+   log_write ("  %s\n", fname);
+   log_write ("The account for user \"%s\" may have been compromised!\n", user);
+   log_write ("Please create a new account with openvas-adduser and\n");
+   log_write ("delete this account!\n");
+   log_write ("Support for passwords stored in plaintext will be\n");
+   log_write ("removed in the next openvas-server release!");
+   log_write ("\n===========================================================\n");
+
    bzero(orig, sizeof(orig));
    fgets(orig, sizeof ( orig ) - 1, f);
    fclose(f);

More information about the Openvas-commits mailing list