Open JasonDalton opened 7 years ago
JasonDalton
commented
7 years ago Here's the current language on the 'Docs' page:
JasonDalton
commented
7 years ago How about:
skitol
commented
7 years ago They currently set the password on the main page the first time it is set up. What do you mean "on the same page" - they can't get to the admin page until they login.
We added that public "secret" password to add an extra blanket. The admin really just needs to know to finish the setup by always creating a user. The first user created will be the admin.
That public password is not really the admins password - it's more like a key to get in once installed. Then they set their password. Maybe if I change the wording to be an "install key" it get removed immediately after the first user registers anyways
Kyle
On Dec 8, 2016, at 1:15 PM, Jason Dalton notifications@github.com wrote:
The strategy for the initial admin user default password won't pass Amazon's security check to get it on Marketplace. We need a new strategy. How about we let the admin user set their password from the same page, instead of using a default. It's no less secure since the default is listed on the public web anyway. This woudl be more secure. in the event someone snuck in and added their own admin password before the real admin, the real admin could just shut it down at the server and reload.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
JasonDalton
commented
7 years ago Let's just take them right to making the Admin password then. Since the code is public, it's not adding any more security.
On Dec 8, 2016, at 5:43 PM, Kyle Kalwarski notifications@github.com wrote:
They currently set the password on the main page the first time it is set up. What do you mean "on the same page" - they can't get to the admin page until they login.
We added that public "secret" password to add an extra blanket. The admin really just needs to know to finish the setup by always creating a user. The first user created will be the admin.
That public password is not really the admins password - it's more like a key to get in once installed. Then they set their password. Maybe if I change the wording to be an "install key" it get removed immediately after the first user registers anyways
Kyle
On Dec 8, 2016, at 1:15 PM, Jason Dalton notifications@github.com wrote:
The strategy for the initial admin user default password won't pass Amazon's security check to get it on Marketplace. We need a new strategy. How about we let the admin user set their password from the same page, instead of using a default. It's no less secure since the default is listed on the public web anyway. This woudl be more secure. in the event someone snuck in and added their own admin password before the real admin, the real admin could just shut it down at the server and reload.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
skitol
commented
7 years ago Yea - or I can prob set it so they don't even have to enter the username..
I remember I initially set it up with no password to install - thinking it should be the responsibility of the installer to finish all the steps.
Kyle
On Dec 8, 2016, at 1:17 PM, Jason Dalton notifications@github.com wrote:
How about:
Manuel
Getting Started
Once SARCAT is installed and running, navigate to http{s}:// to set the Admin password (Username: admin@sarcat, Password: ) to begin setting up your profile. This is only done once for each installation. Go to the Admin Tools section on the left to begin setting up your profile — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
The strategy for the initial admin user default password won't pass Amazon's security check to get it on Marketplace. We need a new strategy. How about we let the admin user set their password from the same page, instead of using a default. It's no less secure since the default is listed on the public web anyway. This woudl be more secure. in the event someone snuck in and added their own admin password before the real admin, the real admin could just shut it down at the server and reload.