-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement the hacluster password verify gatherer #70
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Xabi, great stuff!
I shared with you some thoughts about the gatherer and related DSL.
Let's hear also from the rest of the team 🚀
e6fa5fc
to
cf06346
Compare
I'm a bit late to the party but I'm not entirely convinced that flexibility here is the key value to go for. I'd rather have the gatherer to check exclusively for a well-known pre-established password. e.g. user: hacluster, password:linux or whatever the known defaults are. Sending user:password combinations to the gatherer is indeed more flexible and allows to reuse this gatherer for other things, but I'd seek for security over flexibility here. As off for the code, if we still decide to go with this approach: LGTM |
@rtorrero you mean something like this option? facts:
- name: my_hacluster_pass_has_changed
gatherer: hacluster_password_changed that encapsulates username and related default password. That was also my thought, let's hear also from the rest of the team. |
af7e21b
to
da8a35f
Compare
da8a35f
to
d661167
Compare
I took the liberty to pick this up and:
At this stage of current gatherer's implementation we are able to tell whether a The involved check here is 1.5.2 The
If this is fine, let's go ahead, otherwise we'd need to change the gatherer's logic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Yes (sorry for the late reply) |
This gatherer checks if the provided password is the correct one for the
hacluster
user.As stated in the code:
By now, there is not any need to check the password for other users. The aim of this one is to basically check that the
hacluster
user password has been changes from the default one, so the cluster doesn't have such a big security holeFind some more information about the implementation details and how passwords work in linux systems using the hashing way here:
https://linux-audit.com/password-security-with-linux-etc-shadow-file/