Design: Hash saved password?

[benloh]

[This is really related to nc-multiplex but adding it here so design discussions are mostly in one place.]

In preparation for server-specific tokens, Sri raised an issue that we should discuss @jdanish @kalanicraig.

The current approach of using the SESAME file leaves the password sitting on a server in plain text.

We could easily hash it programmatically. But this would mean either:

a) asking the user to hash it themselves with a terminal utility -- or -- b) adding a password-setting form to the manager page.

With the form, the user would type in their new password, hit "Submit" and the system would hash and save the password in the SESAME (or some other) file.

Pros

• Better security, no plain text passwords on the system.
• You don't need to FTP in to set the password.

Cons

• You need to remember your password, no more peeking to look it up.
• It's a little too easy to change the password -- anyone with access to the manager page can do it. Granted we can make them enter the old password again first. But it doesn't deter people from changing the password without realizing the consequences...
• ...If you change the password, you have to change ALL the tokens that have been generated and hand them all out again. This strikes me as a deal-breaker. If you forget your password and have to reset it, you'll have to reset all the tokens. If you have a lot of users in a lot of different groups, this can be a royal pain.

So right now I'm inclined to leave it as-is with the SESAME approach. Any thoughts?

[jdanish]

My vote would be to use the hashed sesame approach. Seeing as currently, you have to have one person able to use the terminal anyhow, using it to run one more thing seems pretty straightforward and does increase our security nicely. Let's get @kalanicraig to vote before moving forward, though.

[kalanicraig]

I’m with Joshua, provided the consequences for forgetting and changing are clearly spelled out near the pwd set thing.

On Thu, Aug 6, 2020 at 4:40 PM Joshua Danish notifications@github.com wrote:

My vote would be to use the hashed sesame approach. Seeing as currently, you have to have one person able to use the terminal anyhow, using it to run one more thing seems pretty straightforward and does increase our security nicely. Let's get @kalanicraig https://github.com/kalanicraig to vote before moving forward, though.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/netcreateorg/netcreate-2018/issues/104#issuecomment-670181207, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACKL4NEL3P53B47CRCQ6CQTR7MINDANCNFSM4PW4F5XA .

[jdanish]

If I am not misunderstanding, this would just be in the README as you'd go create the password at the terminal. SO, if you forget your password you can go create a new one and drop it into SESAME again. And then use that. So you still need FTP access, etc.

[benloh]

Just to make sure we're on the same page, I believe Joshua is voting for: "a) asking the user to hash it themselves with a terminal utility".

This means we're essentially not changing anything about the workflow other than how you initially generate the password. e.g. instead of uploading a SESAME file, you would use a terminal command to generate the password, something like this:

printf "kpop" | shasum > SESAME

Though there might be issues with having to install the right hash command on some computers, and it may vary across computers.

[kalanicraig]

Hah! I misunderstood what Joshua was saying.

This is also fine, tho I wonder if there’s an web-based utility that might help generate the hash without giving away too much of the security. Most of our folks will be adequate command line users, but it’s nice to have a backup option too.

On Thu, Aug 6, 2020 at 6:11 PM benloh notifications@github.com wrote:

Just to make sure we're on the same page, I believe Joshua is voting for: "a) asking the user to hash it themselves with a terminal utility".

This means we're essentially not changing anything about the workflow other than how you initially generate the password. e.g. instead of uploading a SESAME file, you would use a terminal command to generate the password, something like this:

printf "kpop" | shasum > SESAME

Though there might be issues with having to install the right hash command on some computers, and it may vary across computers.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/netcreateorg/netcreate-2018/issues/104#issuecomment-670216674, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACKL4NCVMNA6RSX7ITVYRATR7MTALANCNFSM4PW4F5XA .

[benloh]

It's easy enough to make the form and create the hash.  My concern was more that it presents a use model that encourages changing the password. So my "Pros" and "Cons" were meant to apply to the form model. Sorry 'bout the confusion.

[jdanish]

Sorry for the confusion: we have consensus to use the command line approach (number 1).Thanks!

[benloh]

This feature is not yet implemented as of Version 1.3.0