From 8ba1d318ec20f499f0e7c38706a8ed46203de041 Mon Sep 17 00:00:00 2001 From: Nick Daly Date: Sun, 10 Nov 2013 21:54:39 -0600 Subject: [PATCH] Hash the password on the server. This saves us the need of distributing additional client libraries, and requires us to actually enable proper security instead of badly-built shims. --- modules/installed/first_boot.py | 64 +++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 26 deletions(-) diff --git a/modules/installed/first_boot.py b/modules/installed/first_boot.py index d257159aa..e2fcd736b 100644 --- a/modules/installed/first_boot.py +++ b/modules/installed/first_boot.py @@ -9,6 +9,7 @@ from withsqlite.withsqlite import sqlite_db import cfg import config from model import User +import md5 class FirstBoot(PagePlugin): def __init__(self, *args, **kwargs): @@ -26,7 +27,7 @@ class FirstBoot(PagePlugin): return "fake key" @cherrypy.expose - def state0(self, message="", hostname="", box_key="", submitted=False, username="", md5_password="", **kwargs): + def state0(self, message="", hostname="", box_key="", submitted=False, username="", password="", **kwargs): """ In this state, we do time config over HTTP, name the box and server key selection. @@ -59,17 +60,21 @@ class FirstBoot(PagePlugin): else: message += _("Invalid key!") elif 'box_key' in db and db['box_key']: - box_key = _("We already have a key for this box on file.") #TODO: Think this through and handle more gracefully + box_key = _("We already have a key for this box on file.") # TODO: Think this through and handle more gracefully. Seriously. elif submitted and not box_key: box_key = self.generate_box_key() db['box_key'] = box_key - if username and md5_password: + if username and password: + # FIXME: MD5 as a password hash? REALLY?! NOOO!!! + passphrase = md5.new() + passphrase.update(password) + di = { 'username':username, - 'name':'First user - please change', - 'expert':'on', + 'name': 'First user - please change', + 'expert': 'on', "groups": ["expert"], - 'passphrase':md5_password, + 'passphrase': passphrase.digest(), } new_user = User(di) cfg.users.set(username,new_user) @@ -93,15 +98,17 @@ class FirstBoot(PagePlugin): form.html("

Initial user and password. Access to this web interface is protected by knowing a username and password. Provide one here to register the initial privileged user. The password can be changed and other users added later.

") form.text_input('Username:', id="username", value=username) form.text_input('Password:', id="password", type='password') - form.text_input(name="md5_password", type="hidden") form.html("

%(box_name)s uses cryptographic keys so it can prove its identity when talking to you. %(box_name)s can make a key for itself, but if one already exists (from a prior FreedomBox, for example), you can paste it below. This key should not be the same as your key because you are not your FreedomBox!

" % {'box_name':cfg.box_name}) form.text_box("If you want, paste your box's key here.", id="box_key", value=box_key) form.hidden(name="submitted", value="True") form.submit("Box it up!") main += form.render() - return self.fill_template(template="base", title=_("First Boot!"), main=main, - sidebar_right=_("""Getting Help

We've done our best to make your FreedomBox easy to use. If you have questions during setup, there are a few places to turn for help. TODO: add links to such help.

""")) + return self.fill_template( + template="base", + title=_("First Boot!"), + main=main, + sidebar_right=sidebar_right) @cherrypy.expose def state1(self, message=None): @@ -113,26 +120,31 @@ class FirstBoot(PagePlugin): TODO: HTTPS failure in State 2 should returns to state 1. """ - main = """

Here's a certificate. -TODO: explain all this cert stuff to the user.

-

TODO: add instrux for installing certificate.

-

After you have installed + main = """ +

Welcome screen not completely implemented yet. Press continue to see the rest of the web interface.

+ +