Closed MFlyer closed 8 years ago
Hi @schakrava, if you agree and nobody is against it, I'd like to get assignee for this: log reader/downloader is proceding and i'd like to work on this too (thinking about a "quiz like" system for direct password recovery) - think about it like a debt i feel to Vinima :blush:
Starting tests on password recovery system (both for rockstor admin and root):
First important note: since login page all is running with UID 0, so we are root also before auth on Rockstor (this let us handle password recovery/mods)
Hi all developers ( @schakrava , @phillxnet and @priyaganti ) and users, actually I'd like to have your opinions to decide how to go on with the password recovery system.
We assume our recovery system (rockstor admin and root user) must be at the same time easy to use and secure, so I've thought to different possible solutions:
Waiting for your opinions :blush:
@MFlyer I think: Opt 1 is too prone to error and will just be skipped. Opt 2 My favourite as it is essentially a recovery password with will never be re-entered in full. Opt 3 akin to 1 and that isn't too complicated. Opt 4 mixed may involve additional complexity. So I guess a system recovery password in addition to the root and user pass on first login; with special attention paid to user hint at stashing root and recovery passwords. This way we have at least on other password to fall back on.
@MFlyer Good idea and I agree with @phillxnet concerning the preferred solution. My only worries are about the technical side: if not all digits/letters are entered, how can a hashed password be verified? The OTP password could be difficult if a user did not set up email properly (small home installations).
Hi @maxhq this is how i think it could work:
Pin card creation
Web ui user password reset
Root password reset
Here is a running pin card generator (backend only, just some rows and we've got a 16 pin of 3 chars eachone :smile: )
@MFlyer So you mean the user will have to enter all PIN card values right?
So you mean the user will have to enter all PIN card values right?
No @maxhq , you'll have 16 pin codes and on password reset for example system will ask you for pin 2, 6, 11 and 15 or others. It acts exactly like some home banking system
@MFlyer OK I see. I'll try to explain my security concerns / scenario:
To prevent this, the PIN code should be stored hashed/encrypted, this means to hash each PIN part individually to be able to request only a few of them from the user. But the hash of a short (e.g. 4 letter) string could IMHO be broken in a short time so the hash would not add much protection.
Am I too paranoid?
This is getting interesting :smile:
@maxhq you're not paranoid and this is how I'm going to code, after looking to my partner home banking pin card too:
So we don't care about MD5 pins cracking? No, I care, but I'm not afraid about that: Rockstor postgresql dbs are accessible only from localhost and if you want to connect to a Rockstor db from another machine you have to append connection over an ssh tunnel, so that means you already know root password -> if you already know root password you don't need to crack pins to reset root password :wink:
Finally, if you don't know current root password you can't access dbs tables and pins data (thinking about this we should also leave them in plain text, but anyway we'll have them encrypted!)
Hi all, coding session starting asap, again in the middle of a migration between 3 systems for my work till end of may :scream:
Suggestion needed @schakrava and @phillxnet :
Over 3698af5 57e0aac 37aa19e (sorry for 3 commits, added missing files + removed and old testing __init__
file) we've created our Pincard table (autoid, user_id - onetoone to django auth users -, pin_number and pin_code - see next image)
with user_id + pin_number to be unique (example: rockstor_user-pin1, rockstor_user-pin2, etc etc, custom_user_with_web_ui_access-pinX)
Initially thought to have it like a common model-view etc etc, but that's not really required (with one click user generates pins, stored in MD5, and we won't see them except during creation for pin card image file to be saved/printed) so probably like on logs manager going to use socketio again (1 call to generate pin + response pin codes in plain text. Other possible calls: to delete pincard and generate a new one). Do you agree on not having view, template etc etc and just 2 buttons to generate/delete pin cards?
Flyer/Mirko
P.S.: while coding accidentally mixed up Rockstor code / systems migration code...that was fun xD
@MFlyer My late answer: I was mainly afraid of someone hijacking a Rockstor session (where the hacker doesn't know any passwords yet) and then being able to reset user passwords and thus access user data. But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...
But if I got you right then Rockstor backend runs as root, which I think is a bigger security problem (it means that a hacker could in theory use a web app to completely hack a system, given that (s)he finds enough bugs in the Rockstor code). So if security shall be improved I guess there are other points to look at first...
Hi @maxhq , totally agree about Rockstor running like root, but that's required (otherwise you won't be able to perform root actions like editing samba conf, adding mnt vols, etc etc) and i think actually there's no different solution. Talking about someone hijacking Rockstor: it isn't so easy, believe me, that would be a MITM (Man in The Middle) between you and Rockstor over https connection. Direct hack over rockstor web page?? Same way, not so easy to pass custom commands (if I'm right Django itself has some checks preventing sql injections / hijacking)
Hi @schakrava & @phillxnet , probably I'm missing one step so going to ask for help:
Dynamic properties/fields : I don't want to change user model, so using a dynamic/on the fly property defined inside UserListView to check if user has pincard and if user can have pins, but not able to show it on frontend.
I know you can do something like
mydata = model.objects.all()
for x in mydata:
somecondition = etc etc
if somecondition:
x.somecondition = 'etcetc'
else:
x.somecondition = 'othertext'
and then have x.somecondition
available in you template, but this doesn't work over backbone collections. Any suggestion?? :)
EDIT : Don't care, I was doing without adding the serializer :wink: ...
Thanks in advance! Flyer
Hi @schakrava / @phillxnet need some help over login page/pins check:
Found under storageadmin views home.py that actually renders login.html page and home On router.js found login view but I think this isn't in use
Under static views got home.js that is backbone part for home and login.js that isn't for login page so (old login page)...what to do??? Going to handle password reset with pins via gevent.socketio, but login page seems missing backbone view, am i right??
Possible solutions (request for suggestions): work over home.py adding needed dependencies for emitting over sockets (don't like it, sounds to me like messing around) simply add required js in login.html page in already existing script tag add a new route to login page working on LoginView from views/login.js that seems unused
Flyer
EDIT - 4 pm ITA local time :
added <script src="/static/js/lib/socket.io.min.js"></script>
inside login.html, now able to use socket.io to Rockstor like this, so i could code directly inside script tag without adding views / mods to current structure - do you agree on that @schakrava ?? This actually seems the best solution
<script>
var pincardManager = io.connect('/pincardmanager', {
'secure': true,
'force new connection': true
});
$('#forgot-pw-info').overlay({load: false});
$('#forgot-pw').click(function () {
$('#forgot-pw-info').overlay().load();
});
$('#pincard-reset-form').overlay({load: false});
$('#pincard-reset').click(function () {
$('#forgot-pw-info').overlay().close();
$('#pincard-reset-form').overlay().load();
});
</script>
Update: nicely working inside login.html script tag without problem and/or structure rebuild
Flyer
Hi @schakrava @phillxnet, got a working pass reset system on 9967324 , for a rockstor user, a managed user (no webui access) and...root user too :grin: ( proxmox VM snapshot before tests on root user eheh )
Finally all frontend code is inside login.html (added ref to socket.io lib and all was fine!) and actually missing only OTP part for root user and code beautifying (hope to do that this week)
Flyer/Mirko
Note: Pls don't care about today commits, just testing branch rebasing (needed if current PR after latest @phillxnet PR) over a cloned branch
Flyer
Fixed and closed with #1354
As suggestend in the issue subject, referencing this forum thread too, probably we could improve password recovery system