Hello,
I just noticed that openser_mysql.sh creates the username "admin" with the default openserrw password in the subscriber table.
This seems to introduce a security hole where a well-known username and password pair would exist on most virgin openser installations.
Is there a good reason to have that entry in the "subscriber" table? Is it used anywhere?
Now I know that we're supposed to change the mysql access passwords, but I have to admit that I didn't think to change a password actually emebedded IN the data of the mysql database.
Did I miss a critical security note somewhere alerting me to this default user?
Thanks, -mark
Hi, I have a problem to understand the configuration of OpenSer with tls I don't unsdertand the user.conf file, to create certificate.
and, I need the certificate in the client soft ?
Happy one year !!! best regards Javier Ramirez
On Wed, 14 Jun 2006, Javier Ramirez wrote:
Hi, I have a problem to understand the configuration of OpenSer with tls I don't unsdertand the user.conf file, to create certificate.
What specifically don't you understand? If you take a look at the openssl 'ca,' 'req' and 'x509' options, it might help shed some light.
and, I need the certificate in the client soft ?
You will most likely need to generate a server certificate to use with openser. Also, depending on the type (i.e. self-signed vs. public) of certificate you use, you may need to import the CA certificate into the client's root CA certificate store.
Hope this helps, - Ryan -- UNIX Administrator http://daemons.net/~matty
Hi Mark,
by default, the installation has to provide a way to access it - a starting user. It's not security hole because: 1) do not open your system to Internet (public mysql or running openser) immediately after installation without customizing it. 2) before installation, you may set different default username and password via environment variables (check the beginning of opensermysql script).
this is a typical behaviour of all software - to let an initial way of access not properly configured, they may turn indeed in security holes: mysqld installs by default user root with no passwd apache start by default listening on all interface (including the public ones). etc....
regards, bogdan
Mark Kent wrote:
Hello,
I just noticed that openser_mysql.sh creates the username "admin" with the default openserrw password in the subscriber table.
This seems to introduce a security hole where a well-known username and password pair would exist on most virgin openser installations.
Is there a good reason to have that entry in the "subscriber" table? Is it used anywhere?
Now I know that we're supposed to change the mysql access passwords, but I have to admit that I didn't think to change a password actually emebedded IN the data of the mysql database.
Did I miss a critical security note somewhere alerting me to this default user?
Thanks, -mark
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
this is a typical behaviour of all software - to let an initial way of access not properly configured, they may turn indeed in security holes:
Your goal should be "good behaviour" not "typical behaviour"...
I think it is a case of trying to be too nice but with very limited benefit for a new user. I just found the line in the INSTALL file that references this:
b) try to login with your SIP client as user 'admin' with password 'heslo'
Well... that's not even the default password anymore, is it? So, anyone starting with 1.0.1 (which includes *everyone* new, as that is the top link at openser.org) will not use that convenience.
BTW, thanks for taking the time to respond to messages. I see you get to each one that has yet to be answered by anyone else (although someone did email me privately).
Thanks, -mark
Mark,
if you do not find this "typical behaviour" suitable, you may suggest a "better behaviour" - we are open to it.
just my 2 cents: if you make a thing too complicated by default, only people with advanced skills will be able to use. IF the default is less complicated, people with less skills will be able to get around; the skilled one are free to enhanced the default setup......we just try to cover as much users as possible with the default setup.
Also thanks for spotting the doc bug - it is fixed now on CVS.
regards, bogdan
Mark Kent wrote:
this is a typical behaviour of all software - to let an initial way of access not properly configured, they may turn indeed in security holes:
Your goal should be "good behaviour" not "typical behaviour"...
I think it is a case of trying to be too nice but with very limited benefit for a new user. I just found the line in the INSTALL file that references this:
b) try to login with your SIP client as user 'admin' with password 'heslo'
Well... that's not even the default password anymore, is it? So, anyone starting with 1.0.1 (which includes *everyone* new, as that is the top link at openser.org) will not use that convenience.
BTW, thanks for taking the time to respond to messages. I see you get to each one that has yet to be answered by anyone else (although someone did email me privately).
Thanks, -mark
-
Bogdan-Andrei Iancu -
Javier Ramirez -
Mark Kent -
Matty