[ic] [interchange] Add back 'UserDB ui crypt' setting

Mark Johnson mark at endpoint.com
Thu Nov 19 22:45:57 UTC 2015


On 11/19/2015 04:09 PM, Peter wrote:
> On 11/20/2015 03:16 AM, Josh Lavin wrote:
>> Quoting Peter (peter at pajamian.dhs.org):
>>> On 11/19/2015 11:28 AM, Josh Lavin wrote:
>>>>  UserDB ui database   access
>>>> +UserDB ui crypt      1
>>>>  UserDB ui bcrypt     1
>>>>  UserDB ui promote    1
>>>>  UserDB ui cost       13
>>>
>>> This change should not be needed, crypt is implied by bcrypt. Did you
>>> have some issue with just bcrypt set?
>>
>> I was told crypt was also necessary. It seems to work either way in the
>> Admin
> 
> It's not required and documentation shows not to use it:
> 
>>       + Example usage: if my "ui" profile is configured with
>>         "crypt" (as it is by default), I have crypt() passwords in
>>         the access table:
>>
>>         UserDB  ui  crypt 1
>>
>>         I first change and promote to bcrypt by replacing the above
>>         with:
>>
>>         UserDB  ui  promote 1
>>         UserDB  ui  bcrypt  1
>>         UserDB  ui  bcrypt_pepper {some reasonably long random string}

Those were my comments, but after having discussed this with Mike and
reviewed, I can see that it's more nuanced than that. It plays off of
__MV_NO_CRYPT__ as well, so if that variable is set then it allows the
encryption settings to be overridden as off. With this sort of strange
"action at a distance", it would be best to explicitly set crypt to 1
for a given profile if that's what's intended.

>> -- however, in the catalog, I found crypt to be necessary.
> 
> My own usage never required it for userdb either, what happened that
> made you think it's required?

I've reviewed clients where I've set up bcrypt for them, and found that
I left the crypt option on, as well.

Again, based even on the potential of __MV_NO_CRYPT__, I think it should
be left as set to on, and that documentation adjusted.

Regards,
Mark



More information about the interchange-users mailing list