Some additional explanations here.

The admin password is kept during migration except the fact that it is  
stored encrypted. The admin user is a normal user and it is also  
possible to remove the admin user.

The master password defaults to "geoserver" and is used for

1) Lo gin of the user "root" (root is an administrator and the root  
user is not removable)

2) Encrypting the java key store containing the key material used by geoserver

You should change the master password, otherwise everybody can log in  
as an administrator to geoserver with userid "root" and password  
"geoserver".

Try it.

Even worse, using the java keytool, an attacker could inspect all the  
private key material contained in geoserver.jceks, the key store  
password is the master password which in turn is "geoserver".

For production systems you have to change the master password.

Hope that helps
Christian



Zitat von Andrea Aime <andrea.a...@geo-solutions.it>:

> On Fri, Jul 20, 2012 at 4:40 PM, Matthew Foster   
> <matthew.fos...@noaa.gov>wrote:
>
>> I just upgraded from 2.1.4 to 2.2-RC1.  The main page is giving me a
>> message that the master password has not been changed from the default.
>>  Our password was changed from the default prior to the upgrade.
>>
>> Is this a known issue?
>>
>
> The admin password is one thing, the master password is another
>
> Cheers
> Andrea
>
>
> --
> ==
> Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
> information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax:   +39 0584 962313
> mob:   +39  339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Reply via email to