Quantcast

How to require stronger passwords for Roundup (1.5.1)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to require stronger passwords for Roundup (1.5.1)

Hancock, David (dhancock)
Our Roundup users are currently logging in twice to get to the tracker: once to an internal “wrapper” system with reasonable requirements for password complexity, then a second time to Roundup itself. I’d like to remove the wrapper requirement; it’s confusing to users. But to do so I need to ensure a minimum level of complexity for passwords. (Nothing too sophisticated, minimum length of 10, at least one number or special character required.)

Has anyone else undertaken such a modification? It seems like I’d need to make an addition to roundup/password.py but I don’t want to do that  without a LITTLE guidance. Any implementation ideas?

Cheers!
--
David Hancock | [hidden email]




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Georg Lehner
On 27/01/17 15:21, Hancock, David (DHANCOCK) wrote:
> Our Roundup users are currently logging in twice to get to the tracker: once to an internal “wrapper” system with reasonable requirements for password complexity, then a second time to Roundup itself. I’d like to remove the wrapper requirement; it’s confusing to users. But to do so I need to ensure a minimum level of complexity for passwords. (Nothing too sophisticated, minimum length of 10, at least one number or special character required.)
>
...

Have you thought about doing it the other way 'round?

If the wrapper system forwards HTTP Basic Authentication Tokens, Roundup
can use them directly for login.


Regards,

   Georg Lehner

> Has anyone else undertaken such a modification? It seems like I’d need to make an addition to roundup/password.py but I don’t want to do that  without a LITTLE guidance. Any implementation ideas?
>
> Cheers!
> --
> David Hancock | [hidden email]
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Roundup-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/roundup-users
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Georg Lehner
In reply to this post by Hancock, David (dhancock)
On 27/01/17 15:21, Hancock, David (DHANCOCK) wrote:
> Our Roundup users are currently logging in twice to get to the tracker: once to an internal “wrapper” system with reasonable requirements for password complexity, then a second time to Roundup itself. I’d like to remove the wrapper requirement; it’s confusing to users. But to do so I need to ensure a minimum level of complexity for passwords. (Nothing too sophisticated, minimum length of 10, at least one number or special character required.)
>
> Has anyone else undertaken such a modification? It seems like I’d need to make an addition to roundup/password.py but I don’t want to do that  without a LITTLE guidance. Any implementation ideas?
>

For this part: maybe writing a reactor which checks the password
property is sufficient:

   http://www.roundup-tracker.org/docs/customizing.html#auditor-or-reactor

Regards,

   Georg

> Cheers!
> --
> David Hancock | [hidden email]
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Roundup-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/roundup-users
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

John P. Rouillard
In reply to this post by Georg Lehner
Hi all:

In message <[hidden email]>,
Georg Lehner writes:

>On 27/01/17 15:21, Hancock, David (DHANCOCK) wrote:
>> Our Roundup users are currently logging in twice to get to the
>> tracker: once to an internal “wrapper” system with reasonable
>> requirements for password complexity, then a second time to Roundup
>> itself. I’d like to remove the wrapper requirement; it’s confusing
>> to users. But to do so I need to ensure a minimum level of
>> complexity for passwords. (Nothing too sophisticated, minimum
>> length of 10, at least one number or special character required.)
>...
>
>Have you thought about doing it the other way 'round?
>
>If the wrapper system forwards HTTP Basic Authentication Tokens, Roundup
>can use them directly for login.
Also you can make roundup respect the REMOTE_USER variable so you
authenticate on the wrapper server, then have the wrapper server pass
the REMOTE_USER header or variable. The advantage of this is that you
don't have to have the passwords in the roundup db.

The config.ini help text is:

# Whether to use HTTP Basic Authentication, if present.
# Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION
# variables supplied by your web server (in that order).
# Set this option to 'no' if you do not wish to use HTTP Basic
# Authentication in your web interface.
# Allowed values: yes, no
# Default: yes
http_auth = yes

You can use passwords from ldap, and SSO provider or anything else
that apache or your web server supports.

This may also be of interest:

  https://sourceforge.net/p/roundup/mailman/message/12294527/

as may this:

  http://www.roundup-tracker.org/cgi-bin/moin.cgi/LDAPLogin2_1_5_1

Also to followup on the user auditor that George suggested, you can
look at the default userauditor.py that ships with the classic
template (and that you probably have in your tracker already).

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Trent W. Buck
In reply to this post by Georg Lehner
Georg Lehner <[hidden email]> writes:

> On 27/01/17 15:21, Hancock, David (DHANCOCK) wrote:
>> Our Roundup users are currently logging in twice to get to the
>> tracker: once to an internal “wrapper” system with reasonable
>> requirements for password complexity, then a second time to Roundup
>> itself. I’d like to remove the wrapper requirement; it’s confusing
>> to users. But to do so I need to ensure a minimum level of
>> complexity for passwords. (Nothing too sophisticated, minimum length
>> of 10, at least one number or special character required.)
>>
> ...
>
> Have you thought about doing it the other way 'round?
>
> If the wrapper system forwards HTTP Basic Authentication Tokens,
> Roundup can use them directly for login.

This is what I do for other web services
(I'm not using roundup in production yet).

If you do this, strongly recommend something like (from apache2)

    AuthBasicFake "%{REMOTE_USER}" "<pre-shared key between apache and roundup>"

Since roundup is just trusting REMOTE_USER,
it doesn't need the user's real password,
and this means a compromised roundup can't see it.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Hancock, David (dhancock)
In reply to this post by Hancock, David (dhancock)
Thank you the ideas on this thread. The idea of writing an auditor/reactor to check the passwords was the most appealing initially, but I ran into a problem. By the time userauditor gets to see the password from newvalues['password'] it's already been hashed:

{PBKDF2}10000$GeodPG9LmZAwMCRrv79u7oVTHyg$ZYZaios16Kiq4wYB4zHHV1Lo00Q

So my string-based checked for minimum length, letters, numbers, punctuation would pass for ANY password once it's hashed.

Is there something I'm missing here? The userauditor.py approach fits my (small) brain.

The other ideas were about connecting other authentication systems instead of using Roundup's, but we're trying to eliminate dependency on another system, and we've got everybody's information in Roundup already.

Cheers!
--
David Hancock | [hidden email]





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Georg Lehner
On 31/01/17 12:58, Hancock, David (DHANCOCK) wrote:
> Thank you the ideas on this thread. The idea of writing an
> auditor/reactor to check the passwords was the most appealing
> initially, but I ran into a problem. By the time userauditor gets to
> see the password from newvalues['password'] it's already been
> hashed:
>
> {PBKDF2}10000$GeodPG9LmZAwMCRrv79u7oVTHyg$ZYZaios16Kiq4wYB4zHHV1Lo00Q
>
>So my string-based checked for minimum length, letters, numbers, punctuation
 > would pass for ANY password once it's hashed.
>
> Is there something I'm missing here? The userauditor.py approach fits
> my (small) brain.
>
...
> --
> David Hancock | [hidden email]

You are not missing anything, I did, when I suggested the auditor
approach, namely that they get called when the input is already processed.

In fact the standard templates implement a simple form of input
validation *before* submitting the form via the JavaScript function
checkRequiredFields(), which can be found in html/help_controls.js.

You could replace this function (in the right place/action) with one
that checks the password strength too.

Some Google hits on 'JavaScript password strength validation', selected
for not pulling in big JavaScript libraries:

http://stackoverflow.com/questions/948172/password-strength-meter
https://martech.zone/javascript-password-strength/

Best Regards,

   Georg Lehner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

John P. Rouillard
In reply to this post by Hancock, David (dhancock)
In message <[hidden email]>,
"Hancock, David (DHANCOCK)" writes:

>Thank you the ideas on this thread. The idea of writing an
>auditor/reactor to check the passwords was the most appealing
>initially, but I ran into a problem. By the time userauditor gets to
>see the password from newvalues['password'] it's already been hashed:
>
>{PBKDF2}10000$GeodPG9LmZAwMCRrv79u7oVTHyg$ZYZaios16Kiq4wYB4zHHV1Lo00Q

Crud, I was worried that may be the case. That makes sense since you
are seeing the data that would be commited to the db. Hence hashed.

>Is there something I'm missing here? The userauditor.py approach fits
>my (small) brain.

No, I don't think you are missing anything. I am wonding if it's
possible to provide the unhashed password to the auditor somehow.

>The other ideas were about connecting other authentication systems
>instead of using Roundup's, but we're trying to eliminate dependency
>on another system, and we've got everybody's information in Roundup
>already.

Fair enough.

I'll try to trace the code and see what can be done. I have a feeling
I may need to add a hook before the auditor code is invoked.

I am also going to raise this on roundup-dev since it seems we have
to do some core code changes.

Another (less secure) way to skin this cat would be to add some
javascript to the password setting page and validate it client
side. YMMV, not recommended that you try this at home, server side
validation rules etc. etc....

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to require stronger passwords for Roundup (1.5.1)

Georg Lehner
On 31/01/17 16:30, John P. Rouillard wrote:
> In message <[hidden email]>,
> "Hancock, David (DHANCOCK)" writes:
>
...
>
> No, I don't think you are missing anything. I am wonding if it's
> possible to provide the unhashed password to the auditor somehow.
>
..
>
> I'll try to trace the code and see what can be done. I have a feeling
> I may need to add a hook before the auditor code is invoked.
>
> I am also going to raise this on roundup-dev since it seems we have
> to do some core code changes.

Wouldn't it be enough to inherit from the RegisterAction class, similar
to the customization example of LDAPLogin? where the LoginAction is
inherited and the new subclass is registered as 'login'.

http://www.roundup-tracker.org/cgi-bin/moin.cgi/LDAPLogin2

The password check would be far more easier to implement then the LDAP
authentication.

>
> Another (less secure) way to skin this cat would be to add some
> javascript to the password setting page and validate it client
> side. YMMV, not recommended that you try this at home, server side
> validation rules etc. etc....
>

Mhm... how would an attack be crafted on the assumption that you can
inject an insecure password into the PBKDF2 encryption of roundup?

Anyways, server side validation would require a two step process (if not
deriving the Login class.

1. The template where a new user is created () is changed to call a
    "verifyLogin" action first, which might use the same or a different
    template.

2. The verifyLogin action checks the password (still in the clear) and
    eventually other data (username already exists, duplicate Email, ...
    and
    - either proceeds to the normal roundup 'register' action or

    - sets self.client._error_message which makes the error message
      inside this nice red textbox appear on top of the page.

The setup of such a process, including a link to a step by step example
is documented in:

http://roundup-tracker.org/docs/customizing.html#defining-new-web-actions


Best Regards,

   Georg Lehner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Loading...