password management with auth plugins

[Ken Dreyer]

I was doing some more tidying up for my KerberosAuthentication module,
and I have a question about user account creation. Specifically, what
is the best policy for storing a "dummy" password for a user?

The LDAPAuthentication class will set a default static password of
"left_blank" in auto_register(). I'm concerned that this allows an
unexpected method of entry: when the DatabaseAuthentication plugin is
also active, lib/gitorious/authentication.rb will cycle through all
the auth plugins, and the DatabaseAuthentication plugin will allow the
user to login with this "left_blank" password string. I didn't
actually test this with the LDAP plugin yet, but it does happen in my
Kerberos plugin, and the audo_register() code is essentially the same.

I think it would be better to register the LDAP or Kerberos users with
cryptographically random passwords. What form do you recommend?

- Ken

[Ken Dreyer]

On Thu, May 17, 2012 at 9:46 AM, Ken Dreyer <ktdr...@ktdreyer.com> wrote:
> I think it would be better to register the LDAP or Kerberos users with
> cryptographically random passwords. What form do you recommend?

Digging a bit more, it looks like the Crowd plugin suffers from the
same "default password in the database" problem. Here's a proposed
patch: call user.reset_password after saving the user.

Advantages:
1. The database password is no longer known to anyone.
2. Reuse the same cryptographic complexity upon which the usual "reset
password" application function relies.

- Ken

[Marius Mårnes Mathiesen]

Ken,

That's an elegant solution. Would you mind sending a merge request for that?

Cheers,

- Marius

- Ken

--
To post to this group, send email to gito...@googlegroups.com
To unsubscribe from this group, send email to
gitorious+...@googlegroups.com

--
Marius Mårnes Mathiesen
Rubyist, Shortcut AS
Tel.: (+47) 92 60 95 38.

http://shortcut.no

[Ken Dreyer]

On Thu, May 24, 2012 at 3:57 AM, Marius Mårnes Mathiesen
<marius.m...@gmail.com> wrote:
> That's an elegant solution. Would you mind sending a merge request for that?

Sure thing, submitted at
https://gitorious.org/gitorious/mainline/merge_requests/205

- Ken

[Ken Dreyer]

Gitorious devs,

Are there any objections to merging this, particularly since it's
security-related?

I've got two other merge requests pending (#202 and #204) that I'd be
happy to see merged also :)

- Ken

[Marius Mårnes Mathiesen]

On Thu, May 31, 2012 at 7:46 PM, Ken Dreyer <ktdr...@ktdreyer.com> wrote:

On Thu, May 24, 2012 at 7:13 AM, Ken Dreyer <ktdr...@ktdreyer.com> wrote:
> On Thu, May 24, 2012 at 3:57 AM, Marius Mårnes Mathiesen
> <marius.m...@gmail.com> wrote:
>> That's an elegant solution. Would you mind sending a merge request for that?
>
> Sure thing, submitted at
> https://gitorious.org/gitorious/mainline/merge_requests/205

Gitorious devs,

Are there any objections to merging this, particularly since it's
security-related?

Apart from lack of time: no :-) Just merged it now.

 

I've got two other merge requests pending (#202 and #204) that I'd be
happy to see merged also :)

Sure - we'll just need to spend a few minutes on those, hopefully next week!

Cheers

- Marius