search

ncrncornell / ced2ar

Comprehensive Extensible Data Documentation and Access Repository (CED²AR) was designed to improve the documentation and discoverability of both public and restricted data
https://www.ncrn.cornell.edu/projects/#Metadata_Standards_and_Tools
Other
6 stars 1 forks source link

sha1sum #6

Closed danpritts closed 7 years ago

danpritts commented 7 years ago

in the docs, you write:

pwd.hash - SHA-1 hash of password for admin account under default authentication type; due to (presumably) differences in character encoding, running echo | sha1sum will not give the desired result.

what you need to do is

echo -n 'password here' | sha1sum

-n gets rid of the trailing newline, which is the problem. Or, at least, it was for me in a similar situation.

As an aside, if you're ever storing user passwords, use something better than a plain sha1 hash. For the admin password, it's less obvious how risky it really is. If an attacker gets the hash, well, start over. (As long as you're not reusing that password somewhere...but you know better I'm sure :)

bbarker commented 7 years ago

Thanks! I've edited the page with your corrections. CED2AR does not store any user passwords, and likely never will itself; authentication is handled externally, e.g., through OAuth2 providers. As to the comment you suggested elsewhere on BaseX, thanks for pointing out the terminology slip - the reason we use it in this fashion is in order to allow ced2ar to connect to a local instance of basex, whose ports should not be exposed publicly for best security (I will make a note of this as well).

danpritts commented 7 years ago

Ah, i deleted the comment regarding BaseX - I thought i was getting into the weeds.

Brandon Elam Barker mailto:notifications@github.com January 25, 2017 at 5:15 PM

Thanks! I've edited the page with your corrections. CED2AR does not store any user passwords, and likely never will itself; authentication is handled externally, e.g., through OAuth2 providers. As to the comment you suggested elsewhere on BaseX, thanks for pointing out the terminology slip - the reason we use it in this fashion is in order to allow ced2ar to connect to a local instance of basex, whose ports should not be exposed publicly for best security (I will make a note of this as well).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ncrncornell/ced2ar/issues/6#issuecomment-275250211, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBPMbXrjR1Y9Xola2SKFEi4jIXcO5HEks5rV8mMgaJpZM4LpdZK.

-- Dan Pritts ICPSR Computing & Network Services University of Michigan