Bug#864939: wiki.debian.org: Password reset instructions are confusingly worded
Package: wiki.debian.org Severity: normal As per request from Sledge: 18:27 ta, that'll be what I have wrong - the password reset asked for an email and I gave it mhy@d.o 18:27 you don't need both, just use the account name and it'll work out the rest 18:28 if you give both and they don't match it can get upset :-/ 18:28 ahhh 18:28 sorry about that 18:28 np, it should be clearer! 18:29 in fact, file a bug to remind me please? -- System Information: Debian Release: 8.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Re: wiki.debian.org password reset
On Tue, Jan 08, 2013 at 07:53:01PM +, Luca Filipozzi wrote: >On Tue, Jan 08, 2013 at 07:22:21PM +0100, Alexis-Emmanuel Haeringer wrote: >> Hello, >> Maybe I could expect an update on your site please. I was wondering if it >> was possible to NOT to register the IP address in a public way on your >> wiki. >> This is also why I had to stop my contribution >Hi, > >These are questions for the Debian Wiki Administration Team (carbon copied). > >I'll let them reply to you. Alexis-Emmanuel, Thanks for asking about this, it's something that has been mentioned before. I've just changed the config of the wiki so that it should no longer show IP addresses or hostnames by default. I hope that covers what you need. :-) -- Steve McIntyre93...@debian.org Debian wiki admin - wiki.debian.org -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130109154924.ge13...@einval.com
Re: wiki.debian.org password reset
Hi, These are questions for the Debian Wiki Administration Team (carbon copied). I'll let them reply to you. Regards, Luca On Tue, Jan 08, 2013 at 07:22:21PM +0100, Alexis-Emmanuel Haeringer wrote: > Hello, > Maybe I could expect an update on your site please. I was wondering if it > was possible to NOT to register the IP address in a public way on your > wiki. > This is also why I had to stop my contribution > > > By example on : > http://wiki.debian.org/AlexisHaeringer > http://wiki.debian.org/RecentChanges > AlexisHaeringer (derni??re > ??dition le 2011-04-27 20:44:10 par http://wiki.debian.org/AlexisEmmanuelHaeringer>" > title="AlexisEmmanuelHaeringer @ 82.225.164.173[82.225.164.173]"> > AlexisEmmanuelHaeringer) > > > (Ok it's too late for theses record (FYI I had just change my IP adress) ) > > Thanks in advance > Best regards > > On 6 January 2013 23:39, Luca Filipozzi wrote: > > > Dear editors of the Debian wiki, > > > > Please recall our recent email regarding the moinmoin [1] vulnerability > > [2] and > > the penetration of Debian's wiki [3]. We have reset all password hashes > > and > > sent individual notification to all Debian wiki account holders with > > instructions on how to recover (and thereby reset) their passwords [4]. > > More > > technical details about the attack are available [5]. > > > > We have completed our audit of the original server hosting > > wiki.debian.organd > > have concluded that the penetration did not yield escalated privileges for > > the > > attacker(s) beyond the 'wiki' service account. > > > > That said, it is clear that the attacker(s) have captured the email > > addresses > > and corresponding password hashes of all wiki editors. The attacker(s) > > were > > particularly interested in the password hashes belonging to users of > > Debian, > > Intel, Dell, Google, Microsoft, GNU, any .gov and any .edu. > > > > Presumably, the intent was to generate domain / username / password tuples > > from > > the email addresses and (eventually cracked) hashes, and to use these to > > attack > > the home instititions of these users. > > > > If the localpart of your email address (the portion to the left of the @) > > is > > your username at your home institution AND if you tend to use the same > > password > > with multiple services, then we *VERY STRONGLY* recommend changing your > > password at your home institution (the portion to the right of the @). > > > > Even if the localpart is not your username at your home institution, we > > recommend updating your password as other mechanisms to map your email > > address > > to your username may be available to the attacker(s). > > > > If you have any questions or concerns, please contact the Debian Wiki > > Administrator Team [6] and/or the Debian System Administration Team [7]. > > > > With kind regards, > > > > Paul Wise for the Debian Wiki Administrator Team > > Luca Filipozzi for the Debian System Administration Team > > > > [1] http://packages.qa.debian.org/m/moin.html > > [2] http://www.debian.org/security/2012/dsa-2593 > > [3] http://wiki.debian.org > > [4] http://wiki.debian.org/FrontPage?action=recoverpass > > [5] http://wiki.debian.org/DebianWiki/SecurityIncident2012 > > [6] debian-www@lists.debian.org > > [7] debian-ad...@debian.org > > > > -- > > Luca Filipozzi > > Member, Debian System Administration Team > > -- Luca Filipozzi Member, Debian System Administration Team Member, UBC Enterprise Architecture Team -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130108195301.ga21...@emyr.net
Re: wiki.debian.org password reset
On Mon, Jan 07, 2013 at 10:54:19PM +, Steve McIntyre wrote: > On Mon, Jan 07, 2013 at 09:19:09PM +, Colin Watson wrote: > >On Sun, Jan 06, 2013 at 10:39:31PM +, Luca Filipozzi wrote: > >> Please recall our recent email regarding the moinmoin [1] vulnerability > >> [2] and > >> the penetration of Debian's wiki [3]. We have reset all password hashes > >> and > >> sent individual notification to all Debian wiki account holders with > >> instructions on how to recover (and thereby reset) their passwords [4]. > >> More > >> technical details about the attack are available [5]. > > > >Thanks. I noticed that my passwords on wiki.debian.org and > >wiki.debconf.org were identical, but my password on wiki.debconf.org had > >not been automatically reset. Perhaps it's worth auditing for this, > >since I suspect this is not uncommon? > > Hi Colin, > > That's a nice idea, but the two wikis are entirely separate and both > store hashed passwords. It's difficult for us to tell if users are > using the same passwords on each system. Ah, fair enough. Damn that security ;-) -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107231420.gl21...@riva.dynamic.greenend.org.uk
Re: wiki.debian.org password reset
On Mon, Jan 07, 2013 at 09:19:09PM +, Colin Watson wrote: >On Sun, Jan 06, 2013 at 10:39:31PM +, Luca Filipozzi wrote: >> Please recall our recent email regarding the moinmoin [1] vulnerability [2] >> and >> the penetration of Debian's wiki [3]. We have reset all password hashes and >> sent individual notification to all Debian wiki account holders with >> instructions on how to recover (and thereby reset) their passwords [4]. More >> technical details about the attack are available [5]. > >Thanks. I noticed that my passwords on wiki.debian.org and >wiki.debconf.org were identical, but my password on wiki.debconf.org had >not been automatically reset. Perhaps it's worth auditing for this, >since I suspect this is not uncommon? Hi Colin, That's a nice idea, but the two wikis are entirely separate and both store hashed passwords. It's difficult for us to tell if users are using the same passwords on each system. -- Steve McIntyre, Cambridge, UK.st...@einval.com You lock the door And throw away the key There's someone in my head but it's not me -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107225419.gv4...@einval.com
Re: wiki.debian.org password reset
On Sun, Jan 06, 2013 at 10:39:31PM +, Luca Filipozzi wrote: > Please recall our recent email regarding the moinmoin [1] vulnerability [2] > and > the penetration of Debian's wiki [3]. We have reset all password hashes and > sent individual notification to all Debian wiki account holders with > instructions on how to recover (and thereby reset) their passwords [4]. More > technical details about the attack are available [5]. Thanks. I noticed that my passwords on wiki.debian.org and wiki.debconf.org were identical, but my password on wiki.debconf.org had not been automatically reset. Perhaps it's worth auditing for this, since I suspect this is not uncommon? -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107211909.gk21...@riva.dynamic.greenend.org.uk
Re: wiki.debian.org password reset
Hi, On 7/01/2013 1:42 PM, Luca Filipozzi wrote: > On Mon, Jan 07, 2013 at 02:28:20AM +, Luca Filipozzi wrote: >> On Mon, Jan 07, 2013 at 12:57:38PM +1100, Andrew McGlashan wrote: >>> What I want to know is the following >>> >>> Do you perform hardening practices such as described at this page: >>> >>>http://crackstation.net/hashing-security.htm > > Having looked at Google's cached version of that page... ;) It worked last time I checked, but I too get the broken page now :( > moin 1.9.x uses SSHA (salted SHA1): > > http://moinmo.in/MoinMoin2.0/SecurePasswordStorage > > It is understood that SHA1 is outdated. Okay, but SHA1 with key stretching would be better in the short term. > We've begun a discussion regarding using a newer hash algorithm and possibly a > key stretching algorithm. > >> Please consider adding debian-www@lists.debian.org and/or >> debian-ad...@debian.org to the thread if/when you reply. > > I've done this. Thank you, I've done a reply all now. Cheers A. -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50ea487f.6060...@affinityvision.com.au
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Mon, Jan 7, 2013 at 9:41 AM, Luca Filipozzi wrote: > OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, > then > one should understand the basics of PKI. What do you think? Many of the Debian wiki editors are there to translate content to their own language. Some of these don't use Debian, some do. I don't think translators should need to learn about PKI to contribute. Only if we use a CA that is trusted by their browsers will we be not affecting anyone. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EehMEF5ku=_g4pb4ucyntbv3r4e9scgxbqabrkp_o...@mail.gmail.com
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Mon, Jan 7, 2013 at 8:08 AM, Jeremy L. Gaddis wrote: > Thanks, I just reset the password on my account only to realize that > SSL is not being used by default on wiki.d.o. As you found out, there is SSL available but not enforced. I strongly suggest installing xul-ext-https-everywhere and xul-ext-https-finder, which will maximise your use of SSL. There will be times you need to disable SSL for certain sites or parts of sites. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6G5Y2dNsTK2dWQvF1dKVKSaPZRhCAEj=+azosjjomy...@mail.gmail.com
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Charles Plessy wrote: > Le Mon, Jan 07, 2013 at 01:41:49AM +, Luca Filipozzi a écrit : > > OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, > > then > > one should understand the basics of PKI. What do you think? > > how about Debian Single Sign On (https://sso.debian.org) ? Unfortunately, that is not an option for everyone at this time. >From http://wiki.debian.org/DebianSingleSignOn: "The web password single signon method only works for Debian Developers." While I may make a few contributions here and there, for example, I am not a DD. I would suspect there are a great number of wiki editors, for example, that are not DDs. I am not sure if wiki supports Debian SSO or not. If not, hopefully that support will be added in the future. In the meantime, however, requiring encryption when logging in to any site is a good idea. Actually, I'll go one step further and say that *not* requiring encrypted authentication is a *very bad idea*. -- Jeremy Gaddis -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107025232.gc10...@hq.evilrouters.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Luca Filipozzi wrote: > On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote: > > Thanks, I just reset the password on my account only to realize that > > SSL is not being used by default on wiki.d.o. > > Yes. :/ > > > Surely this will be fixed in the very near future? > > DSA and DWA are in discussion about enforcing encryption at all > authentication points. We're currently debating the pros/cons of > using a commercial SSL cert vs a Debian SSL cert. Given the dubious > value of commercial certificates, I'm in favour of the latter but I > appreciate that some users will find the browser warnings to be > confusing. Coincidentally, I'm taking a break from rolling out a new (internal only) PKI infrastructure at $work to write this e-mail. Enforcing encryption at any/all authentication points is something that, I hope, should not even need discussing. It should be enabled at any such points. If money wasn't a concern, I'd be in favor of rolling out commercial certificates everywhere simply to avoid any of the browser warnings. I'll admit ignorance when it comes to not knowing how or where Debian uses SSL certificates on public-facing infrastructure (although a quick check seems to indicate SSL isn't enabled on www.d.o), but I see no reason why certificates signed by SPI's CA (whose certificate is included in ca-certificates) could not be used. Alternatively, perhaps certificates from CAcert.org for public-facing services (does anyone besides Debian include their root CA certificate) and certificates from a private CA for use on "Debian internal" services? Obviously, there are a number of things to consider; I'm simply tossing out ideas at this point. > OTOH, I'd argue that if one wishes to maintain content at > wiki.debian.org, then one should understand the basics of PKI. What > do you think? Agree. Being technical folks, I would guess that a large number of Debian users *do* understand the basics of PKI and why a certificate signed by a commercial CA is not technically "more secure" than one signed by a private CA. For those who don't, well, they should be able to understand why after ten minutes of reading. -- Jeremy Gaddis -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107024611.gb10...@hq.evilrouters.net
Re: wiki.debian.org password reset
On Mon, Jan 07, 2013 at 02:28:20AM +, Luca Filipozzi wrote: > On Mon, Jan 07, 2013 at 12:57:38PM +1100, Andrew McGlashan wrote: > > What I want to know is the following > > > > Do you perform hardening practices such as described at this page: > > > >http://crackstation.net/hashing-security.htm > > lucaf@portabofh:~$ curl http://crackstation.net/hashing-security.htm > Count not connect to PHPCount MySQL server! > lucaf@portabofh:~$ Having looked at Google's cached version of that page... > > - if so, then we should be safe, if not, WHY NOT? > > That site is broken (see above). moin 1.9.x uses SSHA (salted SHA1): http://moinmo.in/MoinMoin2.0/SecurePasswordStorage It is understood that SHA1 is outdated. We've begun a discussion regarding using a newer hash algorithm and possibly a key stretching algorithm. > Please consider adding debian-www@lists.debian.org and/or > debian-ad...@debian.org to the thread if/when you reply. I've done this. Cheers, Luca -- Luca Filipozzi Member, Debian System Administration Team -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107024206.gb15...@emyr.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
Le Mon, Jan 07, 2013 at 01:41:49AM +, Luca Filipozzi a écrit : > > OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, > then > one should understand the basics of PKI. What do you think? Hi Luca, how about Debian Single Sign On (https://sso.debian.org) ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107020217.ga31...@falafel.plessy.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote: > * Luca Filipozzi wrote: > > Please recall our recent email regarding the moinmoin [1] vulnerability [2] > > and > > the penetration of Debian's wiki [3]. We have reset all password hashes and > > sent individual notification to all Debian wiki account holders with > > instructions on how to recover (and thereby reset) their passwords [4]. > > More > > technical details about the attack are available [5]. > > [snip] > > Thanks, I just reset the password on my account only to realize that > SSL is not being used by default on wiki.d.o. Yes. :/ > Surely this will be fixed in the very near future? DSA and DWA are in discussion about enforcing encryption at all authentication points. We're currently debating the pros/cons of using a commercial SSL cert vs a Debian SSL cert. Given the dubious value of commercial certificates, I'm in favour of the latter but I appreciate that some users will find the browser warnings to be confusing. OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? Thanks, Luca DSA = Debian System Administration Team DWA = Debian Wiki/Web Administration Team (my coinage) -- Luca Filipozzi Member, Debian System Administration Team -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107014149.gb13...@emyr.net
Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Luca Filipozzi wrote: > Please recall our recent email regarding the moinmoin [1] vulnerability [2] > and > the penetration of Debian's wiki [3]. We have reset all password hashes and > sent individual notification to all Debian wiki account holders with > instructions on how to recover (and thereby reset) their passwords [4]. More > technical details about the attack are available [5]. [snip] Thanks, I just reset the password on my account only to realize that SSL is not being used by default on wiki.d.o. Surely this will be fixed in the very near future? Off to change my password again, -JLG -- Jeremy L. Gaddis e: jlgad...@gnu.org Network Engineer m: +1.812.865.0581 PGP: 0x95E2C8FE w: http://evilrouters.net -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107000808.ga10...@hq.evilrouters.net
