[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [virgo-dev] Should we change the default access to the admin console?

I'm not a Virgo dev, but i want to contribute. I think that a disabled admin console is more safe, with a compreensive documentation of how to enable and configure it. The user will need to do that anyway, in the production enviroment :).

Eduardo FrazÃo


2014-02-14 12:28 GMT-02:00 Markus Knauer <mknauer@xxxxxxxxxxxxxxxxx>:
That's very much in line with my own opinion. When we were discussing this issue in the kitchen my favourite solution was the 'Tomcat' way - it doesn't open anything to the public without a dedicated action by an admin/developer, and at the same time it is not overly complex to enable access by an (inexperienced) user. With a hint as error message it should be fairly easy to setup a user and a password.

Regards,
Markus



On Fri, Feb 14, 2014 at 3:16 PM, John Arthorne <John_Arthorne@xxxxxxxxxx> wrote:
I'm a Virgo outsider and don't have any stake in this, but I think having default passwords adds unnecessary security risk. It is an open source project and everyone can see the default password, and it's just ammunition for script kids scanning for exploits. In Orion we disable admin account by default and someone has to explicitly define a password in server configuration before the admin account is activated. This really doesn't add a lot of difficulty for a server admin and closes an obvious potential security hole. Just my $0.05.

John




From: Â Â Â ÂGlyn Normington <gnormington@xxxxxxxxxxxxx>
To: Â Â Â ÂVirgo Project <virgo-dev@xxxxxxxxxxx>,
Date: Â Â Â Â02/14/2014 06:37 AM
Subject: Â Â Â ÂRe: [virgo-dev] Should we change the default access to the admin console?
Sent by: Â Â Â Âvirgo-dev-bounces@xxxxxxxxxxx




Virgo has never had any complaints about its current default password, so admin/admin seems fine to me.

On 14/02/2014 11:25, Florian Waibel wrote:
A request to use an easy-to-remember passoword for the admin console kicked of some kitchen talk over here.

There are two opposite opinions: Ease of use for Devs vs. safety-net for Ops.

a) Apache Karaf Way: Change the credentials to admin/admin - instantly ready for rumble in development.
b) Apache Tomcat Way: Disable console by default with a hint where to configure the access.

Any opinions?




_______________________________________________
virgo-dev mailing list
virgo-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/virgo-dev

_______________________________________________
virgo-dev mailing list
virgo-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/virgo-dev


_______________________________________________
virgo-dev mailing list
virgo-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/virgo-dev



_______________________________________________
virgo-dev mailing list
virgo-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/virgo-dev