[tor-project] Make it harder to brute-force Trac user passwords

Jens Kubieziel maillist at kubieziel.de
Mon Aug 7 12:32:39 UTC 2017

* teor schrieb am 2017-08-07 um 08:39 Uhr:
> > On 7 Aug 2017, at 07:20, Jens Kubieziel <maillist at kubieziel.de> wrote:
> > https://trac.torproject.org/projects/tor/ticket/23120 and I set the
> > the maximum amount to 17 (chosen arbitrarily). When an account is locked
> > an admin has to unlock it.
> Is it possible to lock out all the admins?

One can lock every account on trac. If an account is locked, a person
with SSH access has to login to the trac machine and to reset the
account. So every locked account can be reset.

> > So we lived with this risk in the last years and simply relied on the
> > fact that people choose a secure (aka hard-to-guess) password. So we
> > just could return to this state.
> Do we have a way of restoring from backups to the state before a
> TRAC_ADMIN compromise?

The trac machine is backupped and we could probably restore the data
(assuming that the compromise didn't happen like ten years ago, the
backup is OK etc.).

Jens Kubieziel                                   http://www.kubieziel.de
Das Theater wird immer existieren, weil die Menschen von Zelluloid und
Retortenkollegen umgeben sind - da ist das Theater ein Hort der
Wahrhaftigkeit. Tobias Moretti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170807/c5cbf7a9/attachment.sig>

More information about the tor-project mailing list