www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 20:02:39 GMT


Graham Leggett wrote:
> Tony Stevenson wrote:
> 
>> Exactly, at the moment users manage their shell passwords by logging 
>> in and using the timeless 'passwd' command.  :-)
> 
> Yep, for those of us that know how, all is good, but for those of us who 
> have to somehow figure out how putty works before they can do this, not 
> so good. :)

In this case, I'd be worried why they were using a shell account in the 
first place. But heck, that's just me.  :-)

> 
>> As for SVN passwords AISTR there is a web interface they can use to 
>> reset this.
>>
>> So with this in mind, we will likely support both methods by the time 
>> we are done. Though in what order/which guise is yet undecided.  A 
>> self managing system that allows users to reset their passwords is a 
>> nice idea, and if we can sort this, it may go some way to alleviating 
>> the pain nearer the times of en-masse logins (i.e. member votes)
> 
> I have a solution for this that is ready to go, all it needs is to be 
> installed. It does indeed solve much pain and annoyance for end users if 
> there is one single canonical way to manage things like passwords.
> 
>> Sorry Graham, set what up exactly?  mod_session and sso?
>> At the moment we are not looking to rollout support for SSO (and by 
>> SSO I mean the definition as it is in the "Scope & Goals" document in 
>> SVN. (SVN:Infra\trunk\projects\ldap-project)
> 
> The various apps that I have created to do the various bits and pieces 
> like change passwords, reset forgotten passwords etc are built on top of 
> mod_session. Just because these apps are built on top of mod_session 
> does not mean that we are obligated to use mod_session for anything else 
> just yet.
> 
> Of course you aren't obligated to use mod_session with the apps, but if 
> you don't, you get lame behaviour like being asked to suddenly re-log in 
> directly after changing your password.

Actually this is *exactly* the kind of behaviour I would expect. I don't 
see this as lame, at all, I see it is a standard way for 
browsers/a.n.other client to behave.

> 
>> Cool. We can always come and re-visit this as and when 
>> time/desire/requirements allow us.
> 
> I predict you will be forced to visit this sooner rather than later, but 
> obviously only when you are ready. At the very least an LDAP server is 
> required, and we don't have that yet.

I'm not sure we will be forced. Or at least I hope not. I am personally 
against SSO, as I see it is cruft, something that reduces security in 
this way makes me worry.

Prompting uers for their passwords for each service is not even on my 
radar, I don't think it is that much of an issue. They have to do it 
now, so when we introduce LDAP we won't set any expectation as to SSO 
services, i.e. they will still need to login to each service, but now 
with the same user/pass combo.  This means they can change their 
password once, and be done with it.

That's just my opinion mind you, YMMV.


Cheers,
Tony

-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message