rockstor / rockstor-core

Linux/BTRFS based Network Attached Storage(NAS)
http://rockstor.com/docs/contribute_section.html
GNU General Public License v3.0
557 stars 138 forks source link

Improvements to password recovery system #1290

Closed MFlyer closed 8 years ago

MFlyer commented 8 years ago

As suggestend in the issue subject, referencing this forum thread too, probably we could improve password recovery system

MFlyer commented 8 years ago

Hi @schakrava, if you agree and nobody is against it, I'd like to get assignee for this: log reader/downloader is proceding and i'd like to work on this too (thinking about a "quiz like" system for direct password recovery) - think about it like a debt i feel to Vinima :blush:

MFlyer commented 8 years ago

Starting tests on password recovery system (both for rockstor admin and root):

First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods)

MFlyer commented 8 years ago

Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system.

We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:

Waiting for your opinions :blush:

phillxnet commented 8 years ago

@MFlyer I think: Opt 1 is too prone to error and will just be skipped. Opt 2 My favourite as it is essentially a recovery password with will never be re-entered in full. Opt 3 akin to 1 and that isn't too complicated. Opt 4 mixed may involve additional complexity. So I guess a system recovery password in addition to the root and user pass on first login; with special attention paid to user hint at stashing root and recovery passwords. This way we have at least on other password to fall back on.

maxhq commented 8 years ago

@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution. My only worries are about the technical side: if not all digits/letters are entered, how can a hashed password be verified? The OTP password could be difficult if a user did not set up email properly (small home installations).

MFlyer commented 8 years ago

Hi @maxhq this is how i think it could work:

Pin card creation

Web ui user password reset

Root password reset

MFlyer commented 8 years ago

Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone :smile: )

http://pythonfiddle.com/pin-card-generator-example

maxhq commented 8 years ago

@MFlyer So you mean the user will have to enter all PIN card values right?

MFlyer commented 8 years ago

So you mean the user will have to enter all PIN card values right?

No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system

maxhq commented 8 years ago

@MFlyer OK I see. I'll try to explain my security concerns / scenario:

  1. someone manages to hack into a user account/session and is able to at least read the DB
  2. hacker reads the plain text PIN from DB and resets the password via web UI
  3. hacker accesses the filesystem with the new password

To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection.

Am I too paranoid?

MFlyer commented 8 years ago

This is getting interesting :smile:

@maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:

So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that: Rockstor postgresql dbs are accessible only from localhost and if you want to connect to a Rockstor db from another machine you have to append connection over an ssh tunnel, so that means you already know root password -> if you already know root password you don't need to crack pins to reset root password :wink:

Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!)

MFlyer commented 8 years ago

Hi all, coding session starting asap, again in the middle of a migration between 3 systems for my work till end of may :scream:

MFlyer commented 8 years ago

Suggestion needed @schakrava and @phillxnet :

Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing __init__ file) we've created our Pincard table (autoid, user_id - onetoone to django auth users -, pin_number and pin_code - see next image) pincard

with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX)

Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards?

Flyer/Mirko

P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD

maxhq commented 8 years ago

@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data. But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

MFlyer commented 8 years ago

But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...

Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution. Talking about someone hijacking Rockstor: it isn't so easy, believe me, that would be a MITM (Man in The Middle) between you and Rockstor over https connection. Direct hack over rockstor web page?? Same way, not so easy to pass custom commands (if I'm right Django itself has some checks preventing sql injections / hijacking)

MFlyer commented 8 years ago

Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:

Dynamic properties/fields : I don't want to change user model, so using a dynamic/on the fly property defined inside UserListView to check if user has pincard and if user can have pins, but not able to show it on frontend.

I know you can do something like

mydata = model.objects.all()
for x in mydata:
somecondition = etc etc
if somecondition:
x.somecondition = 'etcetc'
else:
x.somecondition = 'othertext'

and then have x.somecondition available in you template, but this doesn't work over backbone collections. Any suggestion?? :)

EDIT : Don't care, I was doing without adding the serializer :wink: ... bash-head

Thanks in advance! Flyer

MFlyer commented 8 years ago

Hi @schakrava / @phillxnet need some help over login page/pins check:

Found under storageadmin views home.py that actually renders login.html page and home On router.js found login view but I think this isn't in use

Under static views got home.js that is backbone part for home and login.js that isn't for login page so (old login page)...what to do??? Going to handle password reset with pins via gevent.socketio, but login page seems missing backbone view, am i right??

Possible solutions (request for suggestions): work over home.py adding needed dependencies for emitting over sockets (don't like it, sounds to me like messing around) simply add required js in login.html page in already existing script tag add a new route to login page working on LoginView from views/login.js that seems unused

Flyer

EDIT - 4 pm ITA local time : added <script src="/static/js/lib/socket.io.min.js"></script> inside login.html, now able to use socket.io to Rockstor like this, so i could code directly inside script tag without adding views / mods to current structure - do you agree on that @schakrava ?? This actually seems the best solution

<script>
    var pincardManager = io.connect('/pincardmanager', {
                'secure': true,
                'force new connection': true
            });
    $('#forgot-pw-info').overlay({load: false});
    $('#forgot-pw').click(function () {
        $('#forgot-pw-info').overlay().load();
    });

    $('#pincard-reset-form').overlay({load: false});
    $('#pincard-reset').click(function () {
        $('#forgot-pw-info').overlay().close();
        $('#pincard-reset-form').overlay().load();
    });
</script>
MFlyer commented 8 years ago

Update: nicely working inside login.html script tag without problem and/or structure rebuild

Flyer

MFlyer commented 8 years ago

Hi @schakrava @phillxnet, got a working pass reset system on 9967324 , for a rockstor user, a managed user (no webui access) and...root user too :grin: ( proxmox VM snapshot before tests on root user eheh )

Finally all frontend code is inside login.html (added ref to socket.io lib and all was fine!) and actually missing only OTP part for root user and code beautifying (hope to do that this week)

Flyer/Mirko

MFlyer commented 8 years ago

Note: Pls don't care about today commits, just testing branch rebasing (needed if current PR after latest @phillxnet PR) over a cloned branch

Flyer

MFlyer commented 8 years ago

Fixed and closed with #1354