Roundup Tracker - Issues

Message5530

Author rouilj
Recipients ThomasAH, antmail, rouilj
Date 2016-04-11.23:49:16
Message-id <20160411234858.30C118180A@vm71.cs.umb.edu>
In-reply-to 
More updates from mailing list
starting from:

https://sourceforge.net/p/roundup/mailman/roundup-devel/thread/20160409011634.9DA1781809%40vm71.cs.umb.edu/#msg35003091

This is private email from when I messed up and emailed Thomas
directly.:

------- Forwarded Message
Date: Mon, 11 Apr 2016 16:07:16 +0200
From: Thomas Arendsen Hein <thomas at intevation.de>
Subject: Re: [Roundup-devel] Clearing tracker backlog: issue2550880 add SSHA
 hash for passwords
Message-ID: <20160411155845.746897666.thomas@intevation.de>

* John P. Rouillard <rouilj@cs.umb.edu> [20160411 15:16]:
> >It is a good idea, because Roundup already supports SHA, MD5 and
> >crypt
> Note that all of those are listed as depricated, so should I add in
> SSHA as a depricated algorithm as well?

Sounds good! Then hashes copied from an external source will be
converted to PBKDF2 on the next login.

But make sure that if schema.py specifies a certain hash algorithm,
this algorithm must be the target format for updated hashes, even if
they are deprecated.

> >and if people can't use PBKDF2, but can use SSHA or SHA in
> >their existing environment, they might be forced to fall back to
> >SHA, or worse: storing the password in plaintext and hashing it
> >separately for each service.
> >
> >> is a good idea? The rationale to support a password that is used by
> >> ldap and other authentication providers seems reasonable, but is that
> >> something we want to allow/promote?
> >
> >It is not just Roundup -> OpenLDAP, but OpenLDAP -> Roundup could
> >then be easily done, too.
> I claim that people already using LDAP or AD should be querying those
> services using the recipes on the wiki for getting authentication
> from LDAP/AD.

That should be the case, but often enough isn't, sometimes even with
a good reason, e.g. availability, performance or security reasons.

> Alternatively they can off-load authentication to a web server like
> Apache and use the REMOTE_USER variable to determine who is logging
> in.  (Note using the REMOTE_USER variable may require that the user be
> pre-created. I don't think there is a mechansim for creating a user
> on the fly like there is with the LDAP/AD integrations.)
> Where there is an external source of authority, I claim it should be
> consulted for authentication and roundup should not be using a locally
> cached password.

In an ideal world: Most of the time.
In the real world: Would be nice, but ... :)

Gruesse,
Thomas

[...]
------- End of Forwarded Message
History
Date User Action Args
2016-04-11 23:49:17rouiljsetrecipients: + rouilj, ThomasAH, antmail
2016-04-11 23:49:17rouiljlinkissue2550880 messages
2016-04-11 23:49:16rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020