Author Topic: 'Blank' passwords  (Read 538 times)

brononius

  • Guru
  • ****
  • Posts: 379
  • Trying to keep it simple and centralized...
    • View Profile
    • OnIrIa - linuxMCE blog (runs on ... linuxmce server)
'Blank' passwords
« on: February 23, 2012, 10:31:06 am »
Hey,

I searched a bit, but couldn't find a straight answer.
How (and what's the risk) to change the default 'blank' password?

The database user is using a blank password, as well as the asterisk admin.
Can i just change this password? Or will it have impact on other stuff as well?

I was thinking about changing:
  • mysql user root
  • /etc/pluto.conf
  • asterisk admin user
  • ...

Reason for all this is that of course it's not very secure to use 'blank' password. And lately, a lot of software don't allow 'blank' passwords (fe phpmyadmin) by default...
Version: linuxMCE 1004 (v 2012-07-01)
Extra's: Cacti, webmin, phpmyadmin, joomla

Server: MSI MS-7519 / E7400 2,8GB / 4GB / SSD 60GB / Radeon HD4350 / RTL8111 - 3C905C-TX
Orbiters: HTC Desire Z, HP PocketPC, Samsung Galaxy S, iPAD, ASUS eeePAD
Automation: EIB technology, KNX IP ROUTER 750
Phones: Cisco 7940, Cisco 7960
Camera's: IPCAM02

sambuca

  • Guru
  • ****
  • Posts: 448
    • View Profile
Re: 'Blank' passwords
« Reply #1 on: February 23, 2012, 01:34:40 pm »
Hi,

This would be a research project to find out what works and what breaks, and how to fix it.

I would also suggest that you try to get your changes integrated into LinuxMCE if you get anywhere.

br,
sambuca

mkbrown69

  • Guru
  • ****
  • Posts: 195
    • View Profile
Re: 'Blank' passwords
« Reply #2 on: February 23, 2012, 05:59:45 pm »
Brononi,

Look into the package dbconfig-common. It's the means for creating database users in a manageable way using package mechanisms.

From the apt description...

Description: common framework for packaging database applications This package presents a policy and implementation for  managing various databases used by applications included in Debian packages.
 It can:
  - support MySQL, PostgreSQL, and sqlite based applications;
  - create or remove databases and database users;
  - access local or remote databases;
  - upgrade/modify databases when upstream changes database structure;
  - generate config files in many formats with the database info;
  - import configs from packages previously managing databases on their own;
  - prompt users with a set of normalized, pre-translated questions;
  - handle failures gracefully, with an option to retry;
  - do all the hard work automatically;
  - work for package maintainers with little effort on their part;
  - work for local admins with little effort on their part;
  - comply with an agreed upon set of standards for behavior;
  - do absolutely nothing if that is the whim of the local admin;
  - perform all operations from within the standard flow of package management (no additional skill is required of the local admin).

That's probably the best way forward.  It's what Debian and MythBuntu uses for MythTV/MySQL database management.  I too would like to see the security on the DB users tightened up, but I'm busy with a z/OS course for work which is eating up my spare time...

Hope that helps!

/Mike