From 4152dca09e6a7d9b0da81cb5ac6f76e8f05d2a23 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kodama.kitenet.net>
Date: Thu, 29 May 2008 15:17:19 -0400
Subject: [PATCH] documentation for use of hashed passwords

Everything but the actual coding to support them.
---
 Bundle/IkiWiki/Extras.pm      |  1 +
 debian/NEWS                   | 12 ++++++++++-
 debian/changelog              |  9 ++++++++
 debian/control                |  2 +-
 doc/ikiwiki-transition.mdwn   | 40 ++++++++++++++++++++++++-----------
 doc/ikiwiki.setup             |  2 ++
 doc/install.mdwn              |  2 +-
 doc/plugins/passwordauth.mdwn | 22 ++++++++++++++++---
 doc/security.mdwn             | 38 +++++++++++++++++++++++++--------
 9 files changed, 101 insertions(+), 27 deletions(-)

diff --git a/Bundle/IkiWiki/Extras.pm b/Bundle/IkiWiki/Extras.pm
index 2c259f204..f09225d49 100644
--- a/Bundle/IkiWiki/Extras.pm
+++ b/Bundle/IkiWiki/Extras.pm
@@ -16,6 +16,7 @@ perl -MCPAN -e 'install Bundle::IkiWiki::Extras'
 
 =head1 CONTENTS
 
+Authen::Passphrase
 RPC::XML
 File::MimeInfo
 Locale::gettext
diff --git a/debian/NEWS b/debian/NEWS
index 9dd93c85e..086798750 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+ikiwiki (2.48) unstable; urgency=low
+
+  If you allowed password based logins to your wiki, those passwords were
+  stored in cleartext in the userdb. To guard against exposing users'
+  passwords, I recommend you install the Authen::Passphrase perl module, and
+  then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
+  existing cleartext passwords with strong (blowfish) hashes.
+
+ -- Joey Hess <joeyh@debian.org>  Thu, 29 May 2008 14:39:34 -0400
+
 ikiwiki (2.46) unstable; urgency=low
  
   There were some significant template changes in ikiwiki 2.42 (and 1.33.5).
@@ -89,7 +99,7 @@ ikiwiki (2.14) unstable; urgency=low
 
   This version of ikiwiki is more picky about symlinks in the path leading
   to the srcdir, and will refuse to use a srcdir specified by such a path.
-  This  was necessary to avoid some potential exploits, but could potentially
+  This was necessary to avoid some potential exploits, but could potentially
   break (semi-)working wikis. If your wiki has a srcdir path containing a
   symlink, you should change it to use a path that does not.
 
diff --git a/debian/changelog b/debian/changelog
index 1d9f18320..fb448e7dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,15 @@ ikiwiki (2.48) UNRELEASED; urgency=low
     explicitly pass 0 (FB_DEFAULT) as the second parameter. Apparently perl
     5.8 needs this to avoid crashing on malformed utf-8, despite its docs
     saying it is the default.
+  * passwordauth: If Authen::Passphrase is installed, use it to store
+    password hashes, crypted with Eksblowfish.
+  * Existing cleartext passwords in the userdb will be automatically hashed
+    (if Authen::Passphrase is installed) the next time a user logs in.
+    Or `ikiwiki-transition hashpassword /path/to/srcdir` can be used to force
+    a conversion.
+  * Passwords will no longer be mailed, but instead a password reset link
+    mailed.
+  * The password_cost config setting is provided as a "more security" knob.
 
  -- Joey Hess <joeyh@debian.org>  Wed, 28 May 2008 03:07:37 -0400
 
diff --git a/debian/control b/debian/control
index 3bd14a526..b71cbed6f 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Vcs-Browser: http://git.ikiwiki.info/?p=ikiwiki
 Package: ikiwiki
 Architecture: all
 Depends: ${perl:Depends}, markdown | libtext-markdown-perl, libhtml-scrubber-perl, libhtml-template-perl, libhtml-parser-perl, liburi-perl
-Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl
+Recommends: gcc | c-compiler, libc6-dev | libc-dev, subversion | git-core (>= 1:1.5.0) | tla | bzr (>= 0.91) | mercurial | monotone (>= 0.38), libxml-simple-perl, libnet-openid-consumer-perl, liblwpx-paranoidagent-perl, libtimedate-perl, libcgi-formbuilder-perl (>= 3.05), libcgi-session-perl (>= 4.14-1), libmail-sendmail-perl, libauthen-passphrase-perl
 Suggests: viewvc | gitweb | viewcvs, hyperestraier, librpc-xml-perl, libtext-wikiformat-perl, python, python-docutils, polygen, tidy, libxml-feed-perl, libmailtools-perl, perlmagick, libfile-mimeinfo-perl, libcrypt-ssleay-perl, liblocale-gettext-perl (>= 1.05-1), libtext-typography-perl, libtext-csv-perl, libdigest-sha1-perl, graphviz, libnet-amazon-s3-perl
 Conflicts: ikiwiki-plugin-table
 Replaces: ikiwiki-plugin-table
diff --git a/doc/ikiwiki-transition.mdwn b/doc/ikiwiki-transition.mdwn
index da3b3a8d5..693c1db83 100644
--- a/doc/ikiwiki-transition.mdwn
+++ b/doc/ikiwiki-transition.mdwn
@@ -1,6 +1,6 @@
 # NAME
 
-ikiwiki-transition - transition ikiwiki pages to new syntaxes
+ikiwiki-transition - transition ikiwiki pages to new syntaxes, etc
 
 # SYNOPSIS
 
@@ -8,12 +8,15 @@ ikiwiki-transition type ...
 
 # DESCRIPTION
 
-`ikiwiki-transition` aids in converting ikiwiki pages when
-there's a major change in ikiwiki syntax.
+`ikiwiki-transition` aids in converting wiki pages when
+there's a major change in ikiwiki syntax. It also handles other transitions
+not involving wiki pages.
 
-Currently only one such transition is handled, the `prefix_directives` mode
-converts the specified ikiwiki page from the old preprocessor directive
-syntax, requiring a space, to the new syntax, prefixed by '!'.
+# prefix_directives
+
+The `prefix_directives` mode converts the specified ikiwiki page from
+the old preprocessor directive syntax, requiring a space, to the new
+syntax, prefixed by '!'.
 
 Preprocessor directives which already use the new syntax will remain
 unchanged.
@@ -22,14 +25,27 @@ Note that if the page contains wiki links with spaces, which some
 older versions of ikiwiki accepted, the prefix_directives transition will
 treat these as preprocessor directives and convert them.
 
-One other transition is handled, the `indexdb` mode handles converting
-a plain text `.ikiwiki/index` file to a binary `.ikiwiki/indexdb`. In this
-mode, you should specify the srcdir of the wiki as the second parameter.
-You do not normally need to run `ikiwiki-transition indexdb`; ikiwiki will
-automatically run it as necessary.
+# indexdb
+
+The `indexdb` mode handles converting a plain text `.ikiwiki/index` file to
+a binary `.ikiwiki/indexdb`. In this mode, you should specify the srcdir of
+the wiki as the second parameter. You do not normally need to run
+`ikiwiki-transition indexdb`; ikiwiki will automatically run it as
+necessary.
+
+# hashpassword
+
+The `hashpassword` mode forces any plaintext passwords stored in the
+`.ikiwiki/userdb` file to be replaced with password hashes. (The
+Authen::Passphrase perl module is needed to do this.) In this mode, you
+should specify the srcdir of the wiki as the second parameter. 
+
+If this is not done explicitly, a user's plaintext password will be
+automatically converted to a hash when a user logs in for the first time
+after upgrade to ikiwiki 2.48.
 
 # AUTHOR
 
-Josh Triplett <josh@freedesktop.org>
+Josh Triplett <josh@freedesktop.org>, Joey Hess <joey@ikiwiki.info>
 
 Warning: this page is automatically made into ikiwiki-transition's man page, edit with care
diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup
index e1f698d68..db806a8c4 100644
--- a/doc/ikiwiki.setup
+++ b/doc/ikiwiki.setup
@@ -123,6 +123,8 @@ use IkiWiki::Setup::Standard {
 	#usedirs => 0,
 	# Simple spam prevention: require an account-creation password.
 	#account_creation_password => "example",
+	# Cost of generating a password using Authen::Passphrase::BlowfishCrypt
+	#password_cost => 8,
 	# Uncomment to force ikiwiki to run with a particular umask.
 	#umask => 022,
 	# Default settings for the recentchanges page.
diff --git a/doc/install.mdwn b/doc/install.mdwn
index 179428cb4..40b7b4c5b 100644
--- a/doc/install.mdwn
+++ b/doc/install.mdwn
@@ -30,7 +30,7 @@ perl modules using this command:
 
 	yum install perl-Text-Markdown perl-Mail-Sendmail perl-HTML-Scrubber \
 	  perl-XML-Simple perl-TimeDate perl-HTML-Template perl-CGI-FormBuilder \
-	  perl-CGI-Session perl-File-MimeInfo perl-gettext
+	  perl-CGI-Session perl-File-MimeInfo perl-gettext perl-Authen-Passphrase
 
 ## Installing by hand
 
diff --git a/doc/plugins/passwordauth.mdwn b/doc/plugins/passwordauth.mdwn
index 5e3dbfbaf..13acfe2d1 100644
--- a/doc/plugins/passwordauth.mdwn
+++ b/doc/plugins/passwordauth.mdwn
@@ -2,16 +2,32 @@
 [[tag type/auth]]
 
 This plugin lets ikiwiki prompt for a user name and password when logging
-into the wiki. It also handles registering users, mailing passwords, and
+into the wiki. It also handles registering users, resetting passwords, and
 changing passwords in the prefs page.
 
 It is enabled by default, but can be turned off if you want to only use
 some other form of authentication, such as [[httpauth]] or [[openid]].
 
 When the `account_creation_password` configuration option is enabled with
-a pass-phrase, this plugin prompts for the password when creating an
-account as a implistic anti-spam measure.
+a password, this plugin prompts for the password when creating an
+account as a simplistic anti-spam measure.
 (Some wikis edited by a particular group use an account creation password
 as an "ask an existing member to get an account" system.)
 
+## password storage
 
+Users' passwords are stored in the `.ikiwiki/userdb` file, which needs to
+be kept safe to prevent exposure of passwords. If the
+[[Authen::Passphrase]] perl module is installed, only hashes of the
+passwords will be stored. This is strongly recommended.
+
+The `password_cost` configuration option can be used to make the stored
+password hashes be more difficult to brute force, at the expense of also
+taking more time to check a password when a user logs into the wiki. The
+default value is 8, max value is (currently) 31, and each step *doubles*
+the time required.
+
+So if you're worried about your password files leaking and being cracked,
+you can increase the `password_cost` and make that harder. But a better
+choice might be to not deal with user passwords at all, and instead use
+[[openid]]!
diff --git a/doc/security.mdwn b/doc/security.mdwn
index fc9937288..b3af3db3e 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -105,7 +105,7 @@ your web server will not run it.
 
 ## suid wrappers
 
-ikiwiki --wrapper is intended to generate a wrapper program that
+`ikiwiki --wrapper` is intended to generate a wrapper program that
 runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
 for example to be used in a [[post-commit]] hook by people who cannot write
 to the html pages, etc.
@@ -118,9 +118,13 @@ been no problem yet.
 ## shell exploits
 
 ikiwiki does not expose untrusted data to the shell. In fact it doesn't use
-system() at all, and the only use of backticks is on data supplied by the
-wiki admin and untainted filenames. And it runs with taint checks on of
-course..
+`system(3)` at all, and the only use of backticks is on data supplied by the
+wiki admin and untainted filenames. 
+
+Ikiwiki was developed and used for a long time with perl's taint checking
+turned on as a second layer of defense against shell and other exploits. Due
+to a strange [bug](http://bugs.debian.org/411786) in perl, taint checking
+is currently disabled for production builds of ikiwiki.
 
 ## cgi data security
 
@@ -141,11 +145,11 @@ file not be world readable.
 
 ## cgi password security
 
-Login to the wiki involves sending a password in cleartext over the net.
-Cracking the password only allows editing the wiki as that user though.
-If you care, you can use https, I suppose. If you do use https either for
-all of the wiki, or just the cgi access, then consider using the sslcookie
-option.
+Login to the wiki using [[plugins/passwordauth]] involves sending a password
+in cleartext over the net. Cracking the password only allows editing the wiki
+as that user though. If you care, you can use https, I suppose. If you do use
+https either for all of the wiki, or just the cgi access, then consider using
+the sslcookie option. Using [[plugins/openid]] is a potentially better option.
 
 ## XSS holes in CGI output
 
@@ -377,3 +381,19 @@ page to be modified by a logged-in user. ([[cve CVE-2008-0165]])
 These holes were discovered on 10 April 2008 and fixed the same day with
 the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
 version 1.33.5. I recommend upgrading to one of these versions.
+
+## Cleartext passwords
+
+Until version 2.48, ikiwiki stored passwords in cleartext in the `userdb`.
+That risks exposing all users' passwords if the file is somehow exposed. To
+pre-emtively guard against that, current versions of ikiwiki store password
+hashes (using Eksblowfish).
+
+If you use the [[plugins/passwordauth]] plugin, I recommend upgrading to
+ikiwiki 2.48, installing the [[Authen::Passphrase]] perl module, and running
+`ikiwiki-transition hashpassword` to replace all existing cleartext passwords
+with strong blowfish hashes. 
+
+You might also consider changing to [[plugins/openid]], which does not 
+require ikiwiki deal with passwords at all, and does not involve users sending
+passwords in cleartext over the net to log in, either.
-- 
2.32.0.93.g670b81a890