Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.
There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Two possibilities
-
Check for a file security/masterpw.info
This file contains the master password and you can log in with the user root. root has ROLE_ADMINISTRATOR.
-
If you are using the default user group service, you can do the following:
Open security/usergroup/default/users.xml. Look for the admin user and set the password attribute like
password=“plain:geoserver”.
Obtaining the master password is difficult. It is located in security/masterpw/default/passwd. The password is stored encrypted and useless. You have to start a debug session to find this password in memory. Please tell me if you need further assistance.
Christian
2013/1/14 Andrea Aime <andrea.aime@anonymised.com>
Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.
There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only – learn more at:
http://p.sf.net/sfu/learnmore_122412
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Hi Andrea, did this help ?
2013/1/14 Christian Mueller <mcrmcr21@anonymised.com>
Two possibilities
-
Check for a file security/masterpw.info
This file contains the master password and you can log in with the user root. root has ROLE_ADMINISTRATOR.
-
If you are using the default user group service, you can do the following:
Open security/usergroup/default/users.xml. Look for the admin user and set the password attribute like
password=“plain:geoserver”.
Obtaining the master password is difficult. It is located in security/masterpw/default/passwd. The password is stored encrypted and useless. You have to start a debug session to find this password in memory. Please tell me if you need further assistance.
Christian
2013/1/14 Andrea Aime <andrea.aime@anonymised.com>
Hi,
let’s say that someone does not use a GeoServer 2.2.x for quite some time,
the passwords are not stored anywhere, and the master/admin passwords
are just forgotten.
There must be a way for someone that has command line access to the GeoServer data
dir to start over and force GeoServer to use a certain new password.
Is there?
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only – learn more at:
http://p.sf.net/sfu/learnmore_122412
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
Hi Andrea, did this help ?
Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Perhaps a class with a main method in the main module. (if it is possible)
2013/1/16 Andrea Aime <andrea.aime@…1268…>
On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
Hi Andrea, did this help ?
Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
On Wed, Jan 16, 2013 at 5:10 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
Perhaps a class with a main method in the main module. (if it is possible)
Yep, that would be nice
Cheers
Andrea
2013/1/16 Andrea Aime <andrea.aime@anonymised.com>
On Wed, Jan 16, 2013 at 1:36 PM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
Hi Andrea, did this help ?
Ah hey, yep, it’s a good set of indications.
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
On 16/01/13 21:31, Andrea Aime wrote:
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful
Perhaps a command line tool to reset the master password, rather than extract it?
Because users often use the same password in multiple places, extraction of a password might grant unintended access elsewhere. I am thinking of the use-case of a GeoServer instance whose administrator changes.
Many systems only store HMAC hashes of passwords for security; by design they cannot extract the original plaintext.
Kind regards,
--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre
My ideas so far:
-
lost password for the admin user
You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.
-
lost master password
The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.
The method writing the file checks the calling mehtod with
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()
This is necessary to protect against "trojan horse" geoserver extensions.
Opinions ?
2013/1/21 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
On 16/01/13 21:31, Andrea Aime wrote:
Having a command line tool to extract the master password without having to
put GeoServer in debug mode would be quite useful
Perhaps a command line tool to reset the master password, rather than extract it?
Because users often use the same password in multiple places, extraction of a password might grant unintended access elsewhere. I am thinking of the use-case of a GeoServer instance whose administrator changes.
Many systems only store HMAC hashes of passwords for security; by design they cannot extract the original plaintext.
Kind regards,
–
Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre
On Mon, Jan 21, 2013 at 8:55 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
My ideas so far:
-
lost password for the admin user
You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.
-
lost master password
The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.
The method writing the file checks the calling mehtod with
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()
This is necessary to protect against "trojan horse" geoserver extensions.
Opinions ?
Both suggestions seem good to me
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Should I create a GSIP or is a JIRA improvement issue sufficient ?
If i understand our time boxed model correctly, this improvement will be applied to GeoServer 2.4 with the possibility to backport it after a vote.
Christian
2013/1/21 Andrea Aime <andrea.aime@anonymised.com>
On Mon, Jan 21, 2013 at 8:55 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
My ideas so far:
-
lost password for the admin user
You need access to the physical storage of the user/group service (xml file, sql table,…). Change the password value of the admin user to “plain:geoserver”. (geoserver is the password). Log in as the admin user, change your password from geoserver to another value and press save. The new password is stored encoded replacing “plain:geoserver”.
-
lost master password
The master password is not a digest since it is needed for encryption/decryption of the key store. Yo have to login as an admin user. On the GUI you have to specify a file name and click on a button to store the plain master password in this file.
The file name acts as a shared key between geoserver and the admin. (This is important, a fixed file location is vulnerable to an attack). The admin needs access to the file system, reads the master password and deletes the file.
The method writing the file checks the calling mehtod with
StackTraceElement[] stackTraceElements = Thread.currentThread().getStackTrace()
This is necessary to protect against "trojan horse" geoserver extensions.
Opinions ?
Both suggestions seem good to me
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
On Mon, Jan 21, 2013 at 9:52 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:
Should I create a GSIP or is a JIRA improvement issue sufficient ?
Jira should be sufficient, it’s not a large change or significant new API right?
If i understand our time boxed model correctly, this improvement will be applied to GeoServer 2.4 with the possibility to backport it after a vote.
Yep, the backport of a new functionality requires a vote
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it