[elbe-devel] [PATCH v1 00/15] elbe: switch to hashed passwords in XML
Holger Dengler
holger at hdengler.de
Fri Jun 10 15:30:16 CEST 2022
Hi,
On 08.06.22 22:39, Holger Dengler wrote:
> But the removal of the plain-text password for root will conflict with
> another feature of Elbe, the test action 'login'. It is used to executing
> some post-build tests, e.g. test if it is possible to login to the target
> system. This action requires a plain-text password for root in the XML. This
> leads to an attribute for the 'passwd' element, which controls the removal
> of the plain-text password element.
There is another option to handle this problem: extend the <login> action with user and (plain-text) password. This allows to do logintests also with adduser users and it would make the whole 'keep_plain' handling superflous.
Option a (with keep_plain):
---------------------------
[...]
<target>
<passwd keep_plain='true'>foo</passwd>
<passwd_hashed>$6$7kfQxNovrpDt78Jv$r6HhTFx9T0BjZ.NVMBDeQYn5j6NPcq1zAaJrQf9YisgdBxsIZM5YhyoHNWSubKp/1zm5mZ2EA3IYKY1v9fVYM1</passwd_hashed>
[...]
</target>
[...]
<action>
<login />
</action>
[...]
Option b (without keep_plain):
---------------------------
[...]
<target>
<passwd_hashed>$6$7kfQxNovrpDt78Jv$r6HhTFx9T0BjZ.NVMBDeQYn5j6NPcq1zAaJrQf9YisgdBxsIZM5YhyoHNWSubKp/1zm5mZ2EA3IYKY1v9fVYM1</passwd_hashed>
[...]
</target>
[...]
<check-image-list><check><action>
<login passwd="foo">root</login>
</action></check></check-image-list>
[...]
Option b is much cleaner (IMHO) and fixes the problem of the required plaintext password right at the place, where it appears. And it extends the funtionality of the login action with the possibility of testing user logins as well. The more I think about this solution, the more I like it...
What do you think about option b? Should I do a v2 with it?
--
Gruß,
Holger Dengler
--
holger at hdengler.de
More information about the elbe-devel
mailing list