Bug #2108

Updated by Dominic Cleal almost 6 years ago

Using the Internal user AUTH system gives the default admin user with admin / changeme as the credentials

Currently you cannot delete this user via the user interface (it gives a nice error saying you cant delete it) it would be good to allow this account to be deleted IF there is another administrator account configured, this would help people being security conscious who use the foreman user auth system on its own to help prevent brute force attacks by not giving a would be attacker half of your user credentials out of the box

ultimately it would be awesome to be able to rename or control the username of the main admin account at setup time (in a wordpress style fashion to give a reasonable example)

Although this is a Feature request really, i would consider it a security bug personally so have left it as such pending better classification by others

I should point out also that I was able to successfully remove the admin user from the database via standard mysql tools and it has had no abnormal effects so far in my limited testing