On ma, 29 maalis 2021, Kevin Fenzi wrote:
On Sat, Mar 27, 2021 at 11:02:58PM +0100, Björn Persson wrote:
Kevin Fenzi wrote:
> I'd like us to add security query/respond pairs.

Those can very easily weaken security, as the answers are often public
and easy for an attacker to look up, especially when there are only a
few predefined questions to choose from.

I was not advocating predefined questions. :)

If I can enter my own question, then I can come up with some things
that only I and my family know. That requires careful and security-
conscious consideration. Many people would come up with insecure
questions.

Well, I always use randomly generated words for mine.
But I agree, some people would make poor choices there.

There's a limited supply of such personal secrets that I can be sure
I'll remember, so I can't do that for too many sites. It also requires
a not too public life. People who publish their entire lives on
Facebook will have trouble coming up with a question that an attacker
can't find the answer to.

Another reason to randomly generate.

Otherwise I'll make up a nonsensical phrase to enter as the answer, and
store it securely. That turns the "security question" into a backup
passphrase. If you want people to do this, then it's better to ask them
to make up a passphrase.

Sure, that might be better, although I still like that it's a manual
process. ie, they have to tell it to an admin and the admin has to make
sure everything looks right, etc.

But in the end there's lots of ways to do all this, but one good reason
we wanted to get off running our own account system was to not have to
deal with this so much. So, really I think we should work to improve /
land any changes we want here in IPA itself. Then everyone can benifit
from it, and the IPA team that has a lot more security experence than I
can do the right thing implementing it. :)

Of course IPA has focused on the corp setting and this is kind of an
expansion of their area, so we will need to discuss things with them I
think.

Could you please explain where you want to do it? Noggin (Fedora
Accounts app) does handle the login itself, not FreeIPA. In the context
of what Fedora contributors interact with, FreeIPA is only directly
exposed via Kerberos authentication flow.

Noggin can be modified to accept separate password and token values. In
fact, FreeIPA Web UI does have password-based login implemented in this
way -- there are separate password and token value login fields if user
has OTP associated.

Security query/response pairs are something that Noggin would need to
manage on top of FreeIPA as well and thus would handle login with them.
We do not have any mechanism in FreeIPA to allow you to handle this on
behalf of Noggin.

For security query/response pairs to be useful in FreeIPA context,
they'd need to be plugged into the main password change flows. There are
currently two major ones and the rest just piggy-backs on either of
them:

 - a password change via LDAP protocol
 - a password change via Kerberos protocol

Our current scheme for resetting forgotten or unknown passwords in
FreeIPA requires administrators to initiate a reset with a temporary
password, pre-set or randomly generated. Then a user changes the
password via one of the two methods above -- either directly or with the
help of one of applications that utilize those, by specifying the
temporary password first and providing a new one afterwards.

Kerberos password change protocol implements a single request and a
single reply message where the request is initiated by a client and the
server replies with a success or an error, after which the password is
either updated or not. The request sent by the client includes a single
user-data component (part of generic Kerberos KRB_PRIV message as per
RFC4120 section 5.7.1).

LDAP password change may include and return a control that could be used
to pass through some additional information in both directions with a
bit more flexibility than on the Kerberos side. It still requires that
an LDAP client implements this exchange so Noggin would need to
implement the logic for this too.

If we'd want to add security query/response pairs to allow users to
'securely' reset their passwords initiated by themselves, this would be
possible with an appropriate extension of an LDAP control and changes to
FreeIPA Web UI and Noggin to support that. The bigger problem is to find
a way to securely store these pairs encrypted per user. Right now the
only per-user secret we have is something generated with the help of its
password but since this is all about being able to reset that password
without knowing its content, we need somewhat different method that
would still be secure against others. In FreeIPA nobody, including
administrators, is able to discover the user's password from a hashed
form.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to