[Eagle-i-admins] Eagle-i-admins Digest, Vol 20, Issue 1

Bourges, Daniela Daniela_Bourges at hms.harvard.edu
Fri May 1 13:32:20 EDT 2015 

Faith, Joshua,

Thanks for initiating this discussion.

This is a known issue, stemming from the very simple authentication mechanism that was originally implemented when eagle-i was being prototyped. We honestly haven’t had any cycles to go back and reimplement it (any volunteers?). 
Do note that only the admin has access to this information. In the servers we maintain we mitigate the risk at the OS level, e.g. by keeping the backups and other serialized data in a directory with very restricted access. Of course this is no replacement for the correct solution (storing hashes as Joshua points out), but unfortunately we don’t have a good estimate of when this will be implemented.

Kind regards,
Daniela



> On May 1, 2015, at 12:03, Lease, Joshua <jlease at hmc.psu.edu> wrote:
> 
> I believe that the passwords are stored in plain text in the database. Optimally, it would be stored as a hash at that level (and therefore would be a hash from make-snapshot.sh).
> 
> 
> 
> On 5/1/15, 12:00 PM, "eagle-i-admins-request at open.med.harvard.edu" <eagle-i-admins-request at open.med.harvard.edu> wrote:
> 
>> Send Eagle-i-admins mailing list submissions to
>> 	eagle-i-admins at open.med.harvard.edu
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://open.med.harvard.edu/mailman/listinfo/eagle-i-admins
>> or, via email, send a message with subject or body 'help' to
>> 	eagle-i-admins-request at open.med.harvard.edu
>> 
>> You can reach the person managing the list at
>> 	eagle-i-admins-owner at open.med.harvard.edu
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Eagle-i-admins digest..."
>> 
>> 
>> Today's Topics:
>> 
>>  1. output of make-snapshot.sh (Faith Coldren)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Thu, 30 Apr 2015 15:59:36 -0400
>> From: Faith Coldren <fcoldren at mail.med.upenn.edu>
>> To: "eagle-i-admins at open.med.harvard.edu"
>> 	<eagle-i-admins at open.med.harvard.edu>
>> Subject: [Eagle-i-admins] output of make-snapshot.sh
>> Message-ID:
>> 	<CAO8PZtDr_F6sCA5vLOYzzJNEvkP+njyG4EsXr5djmGAV11bHRQ at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> Hi,
>> 
>> We saw that the users.trig file output by make-snapshot.sh stores the
>> credentials in plain text.
>> 
>> Is this by design?
>> If so, is there a plan to change the output of user credentials to a hash?
>> 
>> Thank you,
>> Faith
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <https://open.med.harvard.edu/pipermail/eagle-i-admins/attachments/20150430/ed5b3cdb/attachment-0001.html>
>> 
>> ------------------------------
>> 
>> _______________________________________________
>> Eagle-i-admins mailing list
>> Eagle-i-admins at open.med.harvard.edu
>> https://open.med.harvard.edu/mailman/listinfo/eagle-i-admins
>> 
>> 
>> End of Eagle-i-admins Digest, Vol 20, Issue 1
>> *********************************************
> _______________________________________________
> Eagle-i-admins mailing list
> Eagle-i-admins at open.med.harvard.edu
> https://open.med.harvard.edu/mailman/listinfo/eagle-i-admins

More information about the Eagle-i-admins mailing list