Message5530
More updates from mailing list
starting from:
https://sourceforge.net/p/roundup/mailman/roundup-devel/thread/20160409011634.9DA1781809%40vm71.cs.umb.edu/#msg35003091
This is private email from when I messed up and emailed Thomas
directly.:
------- Forwarded Message
Date: Mon, 11 Apr 2016 16:07:16 +0200
From: Thomas Arendsen Hein <thomas at intevation.de>
Subject: Re: [Roundup-devel] Clearing tracker backlog: issue2550880 add SSHA
hash for passwords
Message-ID: <20160411155845.746897666.thomas@intevation.de>
* John P. Rouillard <rouilj@cs.umb.edu> [20160411 15:16]:
> >It is a good idea, because Roundup already supports SHA, MD5 and
> >crypt
> Note that all of those are listed as depricated, so should I add in
> SSHA as a depricated algorithm as well?
Sounds good! Then hashes copied from an external source will be
converted to PBKDF2 on the next login.
But make sure that if schema.py specifies a certain hash algorithm,
this algorithm must be the target format for updated hashes, even if
they are deprecated.
> >and if people can't use PBKDF2, but can use SSHA or SHA in
> >their existing environment, they might be forced to fall back to
> >SHA, or worse: storing the password in plaintext and hashing it
> >separately for each service.
> >
> >> is a good idea? The rationale to support a password that is used by
> >> ldap and other authentication providers seems reasonable, but is that
> >> something we want to allow/promote?
> >
> >It is not just Roundup -> OpenLDAP, but OpenLDAP -> Roundup could
> >then be easily done, too.
> I claim that people already using LDAP or AD should be querying those
> services using the recipes on the wiki for getting authentication
> from LDAP/AD.
That should be the case, but often enough isn't, sometimes even with
a good reason, e.g. availability, performance or security reasons.
> Alternatively they can off-load authentication to a web server like
> Apache and use the REMOTE_USER variable to determine who is logging
> in. (Note using the REMOTE_USER variable may require that the user be
> pre-created. I don't think there is a mechansim for creating a user
> on the fly like there is with the LDAP/AD integrations.)
> Where there is an external source of authority, I claim it should be
> consulted for authentication and roundup should not be using a locally
> cached password.
In an ideal world: Most of the time.
In the real world: Would be nice, but ... :)
Gruesse,
Thomas
[...]
------- End of Forwarded Message |
|
Date |
User |
Action |
Args |
2016-04-11 23:49:17 | rouilj | set | recipients:
+ rouilj, ThomasAH, antmail |
2016-04-11 23:49:17 | rouilj | link | issue2550880 messages |
2016-04-11 23:49:16 | rouilj | create | |
|