Improvements to password recovery system

[MFlyer]

As suggestend in the issue subject, referencing this forum thread too, probably we could improve password recovery system

[MFlyer]

Hi @schakrava,
if you agree and nobody is against it, I'd like to get assignee for this: log reader/downloader is proceding and i'd like to work on this too (thinking about a "quiz like" system for direct password recovery) - think about it like a debt i feel to Vinima 😊

[MFlyer]

Starting tests on password recovery system (both for rockstor admin and root):

First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods)

[MFlyer]

Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system.

We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:

• Opt. 1 : "quiz system" to reset passwords (at first i thought only to this one) - a set of 50/100 (?) questions every user has to answer to and randomly selected 7-10 for password reset
• Opt. 2 : "home banking like system" with a n digits card (ex. 1 = 4, 2 = 9, n = x) plus otp password sent to admin mail
• Opt. 3 : last but not least our old friend RSA with key pair ( 1 key pair for each user, on password reset request Rockstor encrypt with rsa related to user, on client side public key added and posted to server for check, than password reset )
• Opt. 4 : maybe a mix of 1-2-3 ??

Waiting for your opinions 😊

[phillxnet]

@MFlyer I think:
Opt 1 is too prone to error and will just be skipped.
Opt 2 My favourite as it is essentially a recovery password with will never be re-entered in full.
Opt 3 akin to 1 and that isn't too complicated.
Opt 4 mixed may involve additional complexity.
So I guess a system recovery password in addition to the root and user pass on first login; with special attention paid to user hint at stashing root and recovery passwords. This way we have at least on other password to fall back on.

[maxhq]

@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution.
My only worries are about the technical side: if not all digits/letters are entered, how can a hashed password be verified?
The OTP password could be difficult if a user did not set up email properly (small home installations).

[MFlyer]

Hi @maxhq this is how i think it could work:

Pin card creation

• Inside Rockstor users create their "pin card" (backend autocreate random pairs) and print it/save it

Web ui user password reset

• Pin card let users to reset rockstor webui user password (generated always on backend, preferably to be changed by users once logged)

Root password reset

• root password reset via web UI needs email notifications to be enabled
• on root pass reset users will have to insert both pin card values + otp sent via mail (otherwise root reset will be only possible via standard way - reboot with rescue mode etc etc etc)

[MFlyer]

Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone 😄 )

http://pythonfiddle.com/pin-card-generator-example

[maxhq]

@MFlyer So you mean the user will have to enter all PIN card values right?

[MFlyer]

So you mean the user will have to enter all PIN card values right?

No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system

[maxhq]

@MFlyer OK I see. I'll try to explain my security concerns / scenario:

1. someone manages to hack into a user account/session and is able to at least read the DB
2. hacker reads the plain text PIN from DB and resets the password via web UI
3. hacker accesses the filesystem with the new password

To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection.

Am I too paranoid?

[MFlyer]

This is getting interesting 😄

@maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:

• Pin card with 24 * 3 chars pins (that means a 72 chars string)
• Every pin will not stored in plain text, but on MD5, although cracking a 3 chars md5 it's quite easy (pls read this interesting post from Jeff Atwood, Stack Overflow daddy and Discourse - forum system used by Rockstor too - co-founder)

So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that:
Rockstor postgresql dbs are accessible only from localhost and if you want to connect to a Rockstor db from another machine you have to append connection over an ssh tunnel, so that means you already know root password -> if you already know root password you don't need to crack pins to reset root password 😉

Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!)

[MFlyer]

Hi all,
coding session starting asap, again in the middle of a migration between 3 systems for my work till end of may 😱

[MFlyer]

Suggestion needed @schakrava and @phillxnet :

Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing __init__ file) we've created our Pincard table (autoid, user_id - onetoone to django auth users -, pin_number and pin_code - see next image)

with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX)

Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards?

Flyer/Mirko

P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD

[maxhq]

@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data.
But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

[MFlyer]

But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution.
Talking about someone hijacking Rockstor: it isn't so easy, believe me, that would be a MITM (Man in The Middle) between you and Rockstor over https connection. Direct hack over rockstor web page?? Same way, not so easy to pass custom commands (if I'm right Django itself has some checks preventing sql injections / hijacking)

[MFlyer]

Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:

• Pincard model will be without foreign key (ok for Rockstor managed users, but not for system user root) - solved and manually handle it over UIDs

Dynamic properties/fields : I don't want to change user model, so using a dynamic/on the fly property defined inside UserListView to check if user has pincard and if user can have pins, but not able to show it on frontend.

I know you can do something like

mydata = model.objects.all()
for x in mydata:
somecondition = etc etc
if somecondition:
x.somecondition = 'etcetc'
else:
x.somecondition = 'othertext'

and then have x.somecondition available in you template, but this doesn't work over backbone collections. Any suggestion?? :)

EDIT : Don't care, I was doing without adding the serializer 😉 ...

Thanks in advance!
Flyer

[MFlyer]

Fixed and closed with #1354