[tor-project] Make it harder to brute-force Trac user passwords
Jens Kubieziel
maillist at kubieziel.de
Mon Aug 7 12:32:39 UTC 2017
* teor schrieb am 2017-08-07 um 08:39 Uhr:
> > On 7 Aug 2017, at 07:20, Jens Kubieziel <maillist at kubieziel.de> wrote:
> > https://trac.torproject.org/projects/tor/ticket/23120 and I set the
> > the maximum amount to 17 (chosen arbitrarily). When an account is locked
> > an admin has to unlock it.
>
> Is it possible to lock out all the admins?
One can lock every account on trac. If an account is locked, a person
with SSH access has to login to the trac machine and to reset the
account. So every locked account can be reset.
> > So we lived with this risk in the last years and simply relied on the
> > fact that people choose a secure (aka hard-to-guess) password. So we
> > just could return to this state.
>
> Do we have a way of restoring from backups to the state before a
> TRAC_ADMIN compromise?
The trac machine is backupped and we could probably restore the data
(assuming that the compromise didn't happen like ten years ago, the
backup is OK etc.).
--
Jens Kubieziel http://www.kubieziel.de
Das Theater wird immer existieren, weil die Menschen von Zelluloid und
Retortenkollegen umgeben sind - da ist das Theater ein Hort der
Wahrhaftigkeit. Tobias Moretti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170807/c5cbf7a9/attachment.sig>
More information about the tor-project
mailing list