[ic] [interchange] Add back 'UserDB ui crypt' setting
Mark Johnson
mark at endpoint.com
Thu Nov 19 22:45:57 UTC 2015
On 11/19/2015 04:09 PM, Peter wrote:
> On 11/20/2015 03:16 AM, Josh Lavin wrote:
>> Quoting Peter (peter at pajamian.dhs.org):
>>> On 11/19/2015 11:28 AM, Josh Lavin wrote:
>>>> UserDB ui database access
>>>> +UserDB ui crypt 1
>>>> UserDB ui bcrypt 1
>>>> UserDB ui promote 1
>>>> UserDB ui cost 13
>>>
>>> This change should not be needed, crypt is implied by bcrypt. Did you
>>> have some issue with just bcrypt set?
>>
>> I was told crypt was also necessary. It seems to work either way in the
>> Admin
>
> It's not required and documentation shows not to use it:
>
>> + Example usage: if my "ui" profile is configured with
>> "crypt" (as it is by default), I have crypt() passwords in
>> the access table:
>>
>> UserDB ui crypt 1
>>
>> I first change and promote to bcrypt by replacing the above
>> with:
>>
>> UserDB ui promote 1
>> UserDB ui bcrypt 1
>> UserDB ui bcrypt_pepper {some reasonably long random string}
Those were my comments, but after having discussed this with Mike and
reviewed, I can see that it's more nuanced than that. It plays off of
__MV_NO_CRYPT__ as well, so if that variable is set then it allows the
encryption settings to be overridden as off. With this sort of strange
"action at a distance", it would be best to explicitly set crypt to 1
for a given profile if that's what's intended.
>> -- however, in the catalog, I found crypt to be necessary.
>
> My own usage never required it for userdb either, what happened that
> made you think it's required?
I've reviewed clients where I've set up bcrypt for them, and found that
I left the crypt option on, as well.
Again, based even on the potential of __MV_NO_CRYPT__, I think it should
be left as set to on, and that documentation adjusted.
Regards,
Mark
More information about the interchange-users
mailing list