On 05/16/2013 10:55 PM, Chip Childers wrote:
For those moving from 2.2.x, 3.0.x, 4.0 to 4.1:
1. We remove the incorrect auth mechanism and put in the right fix of
encoding at the server and not doing any UI magic.
2. We correct the API docs and other docs to indicate the user to send
in plaintext so clients can adjust to the change.
3. We describe this migration situation as Ove encountered and how it
can be corrected without any change using the plaintext authenticator.
I hope that this is fixed right and at the same time it doesn't break
backwards compatibility which is the solution that Kishan is proposing
and I'd recommend too.
Well said Prasanna. I follow now.
So I'll pull in the patch. What's missing though, is an update to the
release notes that describes the situation.
If someone wants to add that, then we can proceed with closing the bug
IMO. If someone simply wants to write it into an email, I'll add it to
the release notes XML file if you want.
Let's keep the bug open until we get it documented though...
-chip
+1
I was baffled by the fact that the server side authentication process up
until now did not expect plain text passwords, that had me confused on
what Kishan was communicating. From my point of view, fixing this design
flaw is a must and motivates the user provisioning breakage and an
improved hash with salt adds additional icing. All is good.
For migration and provisioning scenarios requiring adding hashes
directly, there is always direct DB access.
/Ove
--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)
