Werk #15183: Drop support for outdated password hashing schemes

Component Setup, site management
Title Drop support for outdated password hashing schemes
Date Jan 18, 2023
Checkmk Editon Checkmk Raw (CRE)
Checkmk Version 2.2.0i1
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

With Checkmk 2.2.0 the support for older and in part insecure password hashing schemes has been removed.

As a result, it is possible that some local users cannot log in anymore. omd update will now inform about these cases.

Since Werk #14391 old password hashes were either automatically updated upon login or users were asked to choose new passwords, depending on how old and insecure their hashes were. However, if a user has not logged in at all since Werk #14391 it is possible that they still use the old hashing scheme. These users will not be able to log in after the update, since support for these schemes has been removed. The login will fail with the message "Invalid login".

In order to restore access for affected users, you need to manually reset their password. This can be done either via user management in Setup > Users or via the commandline using cmk-passwd.

Even though this Werk is related to security, it does not fix any exploitable issue. To aid automatic scanners, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

To the list of all Werks