-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server should not request user's password for GetAddSSHKey #36
Comments
I support this, but LDAP authentication makes me kind of sad all around 😦 In one scenario (the one you currently use), the LDAP server reveals user passwords (and thus has to store them reversibly!) to privileged services. In the other, services have to accept the raw user password and attempt to bind under those credentials. Kerberos is the "nicer" way to do it but that's a whole PITA of its own. |
I fully agree with you, and would like to have a nicer solution to this as well, but in the meantime doing the bind might be the lesser evil for several reasons:
|
Agreed, I was mostly just whining :) One thing that could make this a little cleaner: the hologram server On Monday, March 30, 2015, Fran Garcia notifications@github.com wrote:
|
That could work, but would require configuration allowing that from the ldap side, which is always a tradeoff. I'm going to bounce that idea with a couple of people here to see what kind of feedback I get. Thanks for the suggestions! |
When adding a new SSH Key through hologram-authorize, the server actually requests to the ldap server the user's password so it can compare its hash with the one sent by the user. Hologram should not request ldap for the user's password (among other reasons because implementations like AD won't actually return it) and should instead create a new connection to the ldap server and try to bind to it with the user-provided username/password combination.
( See https://github.com/AdRoll/hologram/blob/master/server/server.go#L152 )
The text was updated successfully, but these errors were encountered: