[BlueOnyx:19548] Re: 5209R Initial Setup Issue

Mon May 2 16:56:35 -05 2016

Hi Lee,

> It appears that CodeIgniter is failing on a '!' in any password set.
> I've tried with an alternative character and it's been successful.

I just gave it a whirl myself and found a couple of interesting
problems. For starters: The "admin" password was way more lenient in
allowing special characters than the MySQL field. That shouldn't be.
Both should ideally accept the same passwords. Although it's a good
practice to use a different password for MySQL than for the root/admin
of a box.

After some more digging I then found that the regular expression we use
to validate passwords is way more permissive than what our architecture
actually can handle with ease. Partially this is due to the octal
storage of complex ASCII characters in CODB and partially this is due to
limitations of how we talk to CCEd.

Example: Password has a space. You can set a password with a space via
the GUI, as the regular expression allowed it. But the actual login
where PHP talks with CCEd via the cce.so PHP module? It uses a syntax
like this:

auth admin password

Without escaping the password like putting it into quotation marks. So a
password with a space (or more) would only get interpreted until the
first space happened:

auth admin partial-password rest-of-pw-after-space

The alternative CCE.php class escapes passwords and uses something like
this:

auth admin "password"

So spaces would be allowed as the whole password is properly escaped.
But cce.so is 5-7x faster, so we rather use that one instead of the CCE
PHP class. Which means: No more spaces in passwords allowed. :p

So one by one I worked myself through the ASCII table to find out which
chars we can use and which not. It boils down to this:

Forbidden:
whitespace plus the following: "&'/<>?@[/]^_`{|}~

Allowed:
Anything alphanumeric plus: !#$%()*+,-.:;=

The list of forbidden characters could be shorter. But the limitations
are not all CCEd/CODB related. Some of them are due to the XSS filter of
CodeIgniter, others due to issues with Perl Handlers and lastly some are
due to our cce.so PHP module. Most of it ought to be fixable in the
longer run.

Hence I'll do the following for now:

1.) Publish an updated sausalito-cce*, base-mysql and base-alpine which
reflects the above code changes. When entering passwords it'll complain
if the password contains any unsupported character. Hence you'll
immediately know if your entered password will work or not. More
importantly: It'll only let you set a password that actually can be used
in the login page to log back in to the server.

2.) Morel long term: Fix the architectural problems in the various parts
of BlueOnyx that prevent usage of all/most of the currently forbidden
characters in passwords.

I'll try to publish the interim updates today. I'll also have to roll up
a new 5209R ISO to make sure people who don't run YUM updates don't
immediately run into this (fixed) problem and get a bad first impression.

-- 
With best regards

Michael Stauber