New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements to password recovery system #1290

Closed
MFlyer opened this Issue Apr 23, 2016 · 21 comments

Comments

Projects
None yet
4 participants
@MFlyer
Member

MFlyer commented Apr 23, 2016

As suggestend in the issue subject, referencing this forum thread too, probably we could improve password recovery system

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Apr 24, 2016

Member

Hi @schakrava,
if you agree and nobody is against it, I'd like to get assignee for this: log reader/downloader is proceding and i'd like to work on this too (thinking about a "quiz like" system for direct password recovery) - think about it like a debt i feel to Vinima 😊

Member

MFlyer commented Apr 24, 2016

Hi @schakrava,
if you agree and nobody is against it, I'd like to get assignee for this: log reader/downloader is proceding and i'd like to work on this too (thinking about a "quiz like" system for direct password recovery) - think about it like a debt i feel to Vinima 😊

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 24, 2016

Member

Starting tests on password recovery system (both for rockstor admin and root):

First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods)

Member

MFlyer commented May 24, 2016

Starting tests on password recovery system (both for rockstor admin and root):

First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods)

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 24, 2016

Member

Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system.

We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:

  • Opt. 1 : "quiz system" to reset passwords (at first i thought only to this one) - a set of 50/100 (?) questions every user has to answer to and randomly selected 7-10 for password reset
  • Opt. 2 : "home banking like system" with a n digits card (ex. 1 = 4, 2 = 9, n = x) plus otp password sent to admin mail
  • Opt. 3 : last but not least our old friend RSA with key pair ( 1 key pair for each user, on password reset request Rockstor encrypt with rsa related to user, on client side public key added and posted to server for check, than password reset )
  • Opt. 4 : maybe a mix of 1-2-3 ??

Waiting for your opinions 😊

Member

MFlyer commented May 24, 2016

Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system.

We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:

  • Opt. 1 : "quiz system" to reset passwords (at first i thought only to this one) - a set of 50/100 (?) questions every user has to answer to and randomly selected 7-10 for password reset
  • Opt. 2 : "home banking like system" with a n digits card (ex. 1 = 4, 2 = 9, n = x) plus otp password sent to admin mail
  • Opt. 3 : last but not least our old friend RSA with key pair ( 1 key pair for each user, on password reset request Rockstor encrypt with rsa related to user, on client side public key added and posted to server for check, than password reset )
  • Opt. 4 : maybe a mix of 1-2-3 ??

Waiting for your opinions 😊

@phillxnet

This comment has been minimized.

Show comment
Hide comment
@phillxnet

phillxnet May 24, 2016

Member

@MFlyer I think:
Opt 1 is too prone to error and will just be skipped.
Opt 2 My favourite as it is essentially a recovery password with will never be re-entered in full.
Opt 3 akin to 1 and that isn't too complicated.
Opt 4 mixed may involve additional complexity.
So I guess a system recovery password in addition to the root and user pass on first login; with special attention paid to user hint at stashing root and recovery passwords. This way we have at least on other password to fall back on.

Member

phillxnet commented May 24, 2016

@MFlyer I think:
Opt 1 is too prone to error and will just be skipped.
Opt 2 My favourite as it is essentially a recovery password with will never be re-entered in full.
Opt 3 akin to 1 and that isn't too complicated.
Opt 4 mixed may involve additional complexity.
So I guess a system recovery password in addition to the root and user pass on first login; with special attention paid to user hint at stashing root and recovery passwords. This way we have at least on other password to fall back on.

@maxhq

This comment has been minimized.

Show comment
Hide comment
@maxhq

maxhq May 25, 2016

Contributor

@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution.
My only worries are about the technical side: if not all digits/letters are entered, how can a hashed password be verified?
The OTP password could be difficult if a user did not set up email properly (small home installations).

Contributor

maxhq commented May 25, 2016

@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution.
My only worries are about the technical side: if not all digits/letters are entered, how can a hashed password be verified?
The OTP password could be difficult if a user did not set up email properly (small home installations).

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 25, 2016

Member

Hi @maxhq this is how i think it could work:

Pin card creation

  • Inside Rockstor users create their "pin card" (backend autocreate random pairs) and print it/save it

Web ui user password reset

  • Pin card let users to reset rockstor webui user password (generated always on backend, preferably to be changed by users once logged)

Root password reset

  • root password reset via web UI needs email notifications to be enabled
  • on root pass reset users will have to insert both pin card values + otp sent via mail (otherwise root reset will be only possible via standard way - reboot with rescue mode etc etc etc)
Member

MFlyer commented May 25, 2016

Hi @maxhq this is how i think it could work:

Pin card creation

  • Inside Rockstor users create their "pin card" (backend autocreate random pairs) and print it/save it

Web ui user password reset

  • Pin card let users to reset rockstor webui user password (generated always on backend, preferably to be changed by users once logged)

Root password reset

  • root password reset via web UI needs email notifications to be enabled
  • on root pass reset users will have to insert both pin card values + otp sent via mail (otherwise root reset will be only possible via standard way - reboot with rescue mode etc etc etc)
@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 25, 2016

Member

Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone 😄 )

http://pythonfiddle.com/pin-card-generator-example

Member

MFlyer commented May 25, 2016

Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone 😄 )

http://pythonfiddle.com/pin-card-generator-example

@maxhq

This comment has been minimized.

Show comment
Hide comment
@maxhq

maxhq May 25, 2016

Contributor

@MFlyer So you mean the user will have to enter all PIN card values right?

Contributor

maxhq commented May 25, 2016

@MFlyer So you mean the user will have to enter all PIN card values right?

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 25, 2016

Member

So you mean the user will have to enter all PIN card values right?

No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system

Member

MFlyer commented May 25, 2016

So you mean the user will have to enter all PIN card values right?

No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system

@maxhq

This comment has been minimized.

Show comment
Hide comment
@maxhq

maxhq May 25, 2016

Contributor

@MFlyer OK I see. I'll try to explain my security concerns / scenario:

  1. someone manages to hack into a user account/session and is able to at least read the DB
  2. hacker reads the plain text PIN from DB and resets the password via web UI
  3. hacker accesses the filesystem with the new password

To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection.

Am I too paranoid?

Contributor

maxhq commented May 25, 2016

@MFlyer OK I see. I'll try to explain my security concerns / scenario:

  1. someone manages to hack into a user account/session and is able to at least read the DB
  2. hacker reads the plain text PIN from DB and resets the password via web UI
  3. hacker accesses the filesystem with the new password

To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection.

Am I too paranoid?

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 26, 2016

Member

This is getting interesting 😄

@maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:

  • Pin card with 24 * 3 chars pins (that means a 72 chars string)
  • Every pin will not stored in plain text, but on MD5, although cracking a 3 chars md5 it's quite easy (pls read this interesting post from Jeff Atwood, Stack Overflow daddy and Discourse - forum system used by Rockstor too - co-founder)

So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that:
Rockstor postgresql dbs are accessible only from localhost and if you want to connect to a Rockstor db from another machine you have to append connection over an ssh tunnel, so that means you already know root password -> if you already know root password you don't need to crack pins to reset root password 😉

Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!)

Member

MFlyer commented May 26, 2016

This is getting interesting 😄

@maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:

  • Pin card with 24 * 3 chars pins (that means a 72 chars string)
  • Every pin will not stored in plain text, but on MD5, although cracking a 3 chars md5 it's quite easy (pls read this interesting post from Jeff Atwood, Stack Overflow daddy and Discourse - forum system used by Rockstor too - co-founder)

So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that:
Rockstor postgresql dbs are accessible only from localhost and if you want to connect to a Rockstor db from another machine you have to append connection over an ssh tunnel, so that means you already know root password -> if you already know root password you don't need to crack pins to reset root password 😉

Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!)

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 27, 2016

Member

Hi all,
coding session starting asap, again in the middle of a migration between 3 systems for my work till end of may 😱

Member

MFlyer commented May 27, 2016

Hi all,
coding session starting asap, again in the middle of a migration between 3 systems for my work till end of may 😱

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue May 30, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue May 30, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue May 30, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 30, 2016

Member

Suggestion needed @schakrava and @phillxnet :

Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing __init__ file) we've created our Pincard table (autoid, user_id - onetoone to django auth users -, pin_number and pin_code - see next image)
pincard

with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX)

Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards?

Flyer/Mirko

P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD

Member

MFlyer commented May 30, 2016

Suggestion needed @schakrava and @phillxnet :

Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing __init__ file) we've created our Pincard table (autoid, user_id - onetoone to django auth users -, pin_number and pin_code - see next image)
pincard

with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX)

Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards?

Flyer/Mirko

P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD

@maxhq

This comment has been minimized.

Show comment
Hide comment
@maxhq

maxhq May 31, 2016

Contributor

@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data.
But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

Contributor

maxhq commented May 31, 2016

@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data.
But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer May 31, 2016

Member

But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution.
Talking about someone hijacking Rockstor: it isn't so easy, believe me, that would be a MITM (Man in The Middle) between you and Rockstor over https connection. Direct hack over rockstor web page?? Same way, not so easy to pass custom commands (if I'm right Django itself has some checks preventing sql injections / hijacking)

Member

MFlyer commented May 31, 2016

But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution.
Talking about someone hijacking Rockstor: it isn't so easy, believe me, that would be a MITM (Man in The Middle) between you and Rockstor over https connection. Direct hack over rockstor web page?? Same way, not so easy to pass custom commands (if I'm right Django itself has some checks preventing sql injections / hijacking)

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 2, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jun 3, 2016

Member

Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:

  • Pincard model will be without foreign key (ok for Rockstor managed users, but not for system user root) - solved and manually handle it over UIDs

Dynamic properties/fields : I don't want to change user model, so using a dynamic/on the fly property defined inside UserListView to check if user has pincard and if user can have pins, but not able to show it on frontend.

I know you can do something like

mydata = model.objects.all()
for x in mydata:
somecondition = etc etc
if somecondition:
x.somecondition = 'etcetc'
else:
x.somecondition = 'othertext'

and then have x.somecondition available in you template, but this doesn't work over backbone collections. Any suggestion?? :)

EDIT : Don't care, I was doing without adding the serializer 😉 ...
bash-head

Thanks in advance!
Flyer

Member

MFlyer commented Jun 3, 2016

Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:

  • Pincard model will be without foreign key (ok for Rockstor managed users, but not for system user root) - solved and manually handle it over UIDs

Dynamic properties/fields : I don't want to change user model, so using a dynamic/on the fly property defined inside UserListView to check if user has pincard and if user can have pins, but not able to show it on frontend.

I know you can do something like

mydata = model.objects.all()
for x in mydata:
somecondition = etc etc
if somecondition:
x.somecondition = 'etcetc'
else:
x.somecondition = 'othertext'

and then have x.somecondition available in you template, but this doesn't work over backbone collections. Any suggestion?? :)

EDIT : Don't care, I was doing without adding the serializer 😉 ...
bash-head

Thanks in advance!
Flyer

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 6, 2016

#1290 - Pincard user field changed to integer because foreignkey not …
…working for system users - not stored over db

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 6, 2016

#1290 - Modified SUserSerializer with fields required by Pincard. 3-s…
…tate logic required over field pincard_allowed: no for sys users, yes whene allowed, otp when user allowed but missing mail notification for otp - ex. root user

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 6, 2016

#1290 - Added pinmanager system module - handle pincard states check,…
… pincard creation and password reset (last 2 to be implemented)

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 6, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 7, 2016

#1290 Users list updates for Pincard - Part 1 - Added if statemente f…
…or missing mail settings for root user and check for existing Pincards

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 7, 2016

#1290 Users list updates for Pincard - Part 1 - Added if statemente f…
…or missing mail settings for root user and check for existing Pincards - tabs correction

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 7, 2016

#1290 Users list updates for Pincard - Part 2 - Added first part of w…
…ebsockets for pincard creation - working. Currently not handling response for user to save pincard image/text

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jun 7, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Pincard Manager backend - Modified user model to have has_pinca…
…rd and pincard_allowed properties - required for user creation module

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Pincard Manager Frontend - Pincard creation full working versio…
…n. Pincard rendered with canvas + selectable text

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Modified system pinmanager to handle both User object uid and u…
…id simple value plus added func to convert from username to uid for pass reset

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Mods to users.js view and pinmanager.py to better handle otp re…
…quirements: if pincard already created for root user always check if email notifications are enabled

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Mods system/pinmanager and smart_manager/data_collector - Corre…
…ctly reset users pass - missing otp checks

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

#1290 Backend adds: 3 minutes limit to password reset plus nice messa…
…ges to frontend over emits (new pass if checks are ok, infos for password reset denied)

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

MFlyer added a commit to MFlyer/rockstor-core that referenced this issue Jul 2, 2016

@MFlyer

This comment has been minimized.

Show comment
Hide comment
@MFlyer

MFlyer Jul 4, 2016

Member

Fixed and closed with #1354

Member

MFlyer commented Jul 4, 2016

Fixed and closed with #1354

@MFlyer MFlyer closed this Jul 4, 2016

@schakrava schakrava added this to the Looney Bean milestone Nov 1, 2016

@schakrava schakrava changed the title from Password recovery system - improvements and/or better docu needed to Improvements to password recovery system Nov 1, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment