Opened 3 years ago

Closed 3 years ago

#18897 closed New feature (wontfix)

add the password as 2nd argument to changepassword command

Reported by: maduma@… Owned by: nobody
Component: Core (Management commands) Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Added the possibility to pass the username and the password to 'changepassword' command.
This was the only cmd that need user input during initial setup

!sh
# rm sqlite3.db; python manage.py syncdb --noinput; \
python manage.py createsuperuser --noinput --username=maduma --email=maduma@pt.lu; \
python manage.py changepassword maduma not4u

# python manage.py changepassword maduma not4u
Changing password for user 'maduma'
Password changed successfully for user 'maduma'

# diff changepassword-old.py changepassword.py
25,26c25,26
<         if len(args) > 1:
<             raise CommandError("need exactly one or zero arguments for username")
---
>         if len(args) > 2:
>             raise CommandError("need exactly one, two or zero arguments for username and password")
28c28,30
<         if args:
---
>         if len(args) == 2:
>             username, p1 = args
>         elif len(args) == 1:
40,48c42,53
<         MAX_TRIES = 3
<         count = 0
<         p1, p2 = 1, 2  # To make them initially mismatch.
<         while p1 != p2 and count < MAX_TRIES:
<             p1 = self._get_pass()
<             p2 = self._get_pass("Password (again): ")
<             if p1 != p2:
<                 self.stdout.write("Passwords do not match. Please try again.\n")
<                 count = count + 1
---
>         if not p1:
>             MAX_TRIES = 3
>             count = 0
>             p1, p2 = 1, 2  # To make them initially mismatch.
>             while p1 != p2 and count < MAX_TRIES:
>                 p1 = self._get_pass()
>                 p2 = self._get_pass("Password (again): ")
>                 if p1 != p2:
>                     self.stdout.write("Passwords do not match. Please try again.\n")
>                     count = count + 1
>             if count == MAX_TRIES:
>                 raise CommandError("Aborting password change for user '%s' after %s attempts" % (username, count))
50,52d54
<         if count == MAX_TRIES:
<             raise CommandError("Aborting password change for user '%s' after %s attempts" % (username, count))
<

Change History (1)

comment:1 Changed 3 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the suggestion; however, I'm going to reject this as a feature request.

Passwords should always be entered manually from a TTY input. Any mechanism to work around this is a potential security risk. Consider:

  • If something can be put on the command line, someone is going to try and use the argument in a script.
  • If you type the password at the command line, it will be preserved in command history, which means anyone who can get access to your login can find out your password, too.
Note: See TracTickets for help on using tickets.
Back to Top