[Health-dev] [bug #52020] Missing bcrypt dependency in gnuhealth-setup

[Luis Falcon]

URL:
  <http://savannah.gnu.org/bugs/?52020>

                 Summary: Missing bcrypt dependency in gnuhealth-setup
                 Project: GNU Health
            Submitted by: meanmicio
            Submitted on: Thu 14 Sep 2017 04:07:22 PM UTC
                Category: Security
                Severity: 3 - Normal
              Item Group: None
                  Status: Confirmed
                 Privacy: Public
             Assigned to: meanmicio
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Module: gnuhealth-setup

    _______________________________________________________

Details:

Mathias Behrle noticed that the standard installation for GNU Health
(gnuhealth-setup), is missing the bcrypt package.

Although Tryton fallbacks to SHA1 algorithm for hashing the passwords if it
does not find bcrypt, we recommend to use Bcrypt. 

Bcrypt is a "slow" hash algorithm, thus, makes it harder (from the time point
of view) to brute force attacks, and the penalty from the login user is not
noticeable (specially across the network).

We will release a new version for gnuhealth-setup (3.2.1), which will include
bcrypt in the dependency list.

In the meantime, just install the bcrypt package manually with the *gnuhealth*
user

gnuhealth $ pip3 install --user bcrypt

Don't forget to restart (no need to update) the Tryton server.

PS: This applies just to the standard / vanilla GNU Health distribution. Those
installations that use pypi packages have already the dependency in place.

Bests
Luis






    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?52020>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/