New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements to password recovery system #1290
Comments
Hi @schakrava, |
Starting tests on password recovery system (both for rockstor admin and root): First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods) |
Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system. We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:
Waiting for your opinions 😊 |
@MFlyer I think: |
@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution. |
Hi @maxhq this is how i think it could work: Pin card creation
Web ui user password reset
Root password reset
|
Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone 😄 ) |
@MFlyer So you mean the user will have to enter all PIN card values right? |
No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system |
@MFlyer OK I see. I'll try to explain my security concerns / scenario:
To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection. Am I too paranoid? |
This is getting interesting 😄 @maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:
So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that: Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!) |
Hi all, |
…ver django users
…ver django users part 2
…ver django users part 3 - correction
Suggestion needed @schakrava and @phillxnet : Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX) Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards? Flyer/Mirko P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD |
@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data. |
Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution. |
Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:
EDIT : Don't care, I was doing without adding the serializer 😉 ... Thanks in advance! |
…key not working for system users - not stored over db
…ard. 3-state logic required over field pincard_allowed: no for sys users, yes whene allowed, otp when user allowed but missing mail notification for otp - ex. root user
…s check, pincard creation and password reset (last 2 to be implemented)
…nd pincard_allowed
…emente for missing mail settings for root user and check for existing Pincards
…emente for missing mail settings for root user and check for existing Pincards - tabs correction
…art of websockets for pincard creation - working. Currently not handling response for user to save pincard image/text
…entries after flushing current pins
…entries after flushing current pins
…le pincard creation via gevent.io
…as_pincard and pincard_allowed properties - required for user creation module
…ctor and pinmanager
…g version. Pincard rendered with canvas + selectable text
…id and uid simple value plus added func to convert from username to uid for pass reset
…pincard for password reset
…e otp requirements: if pincard already created for root user always check if email notifications are enabled
… - Correctly reset users pass - missing otp checks
…lled bootstrap alert-success box
…ce messages to frontend over emits (new pass if checks are ok, infos for password reset denied)
…working system - last step code revision
Fixed and closed with #1354 |
As suggestend in the issue subject, referencing this forum thread too, probably we could improve password recovery system
The text was updated successfully, but these errors were encountered: