I have put a new beta of the Auth application on http://auth.opensolaris.org/auth This contains the new registration and login pages which will in time replace the existing account management pages on opensolaris,org.
I would like people to test the new version and provide feedback. At the moment I am primarily concerned with functionality and not appearance, the CSS will be changed before deployment to confirm with the OSO L&F. I'm particularly interested to see if anyone can hack the site and/or find any security flaws - for example can you add a bogus SSH key to an account that you don't own - the 'admin' account would be a good choice for any attacks. Some notes ========== Security -------- The site is currently running under HTTP, when it is deployed it will be running HTTPS, so eavesdropping on traffic between the browser and the app won't be possible. Confirmation emails ------------------- At the moment, all emails are sent to [EMAIL PROTECTED] (http://mail.opensolaris.org/pipermail/auth-test), for testing purposes. This means that you can enter a made-up email address, as long as it is correctly formatted. This also means that all token and confirmation emails are globally visible. When deployed this obviously won't be the case, so an attacker would have to eavesdrop to obtain a copy of the mails. Localization ------------ The application is internationalised. The preferred language can either be specified via your browser preferences, or via the language option on the account edit screen, with the account setting taking preference. At present there are only translations for the test-only Esperanto and Australian English languages. What isn't there yet -------------------- 1. Member collective editing The page which will allow you to select which collectives you wish to participate in is not yet implemented. 2. Sunid confirmation It is necessary to tie Sun employee's OpenSolaris.org accounts to their Sun identity, so we know that they don't have to sign an individual SCA. This isn't implemented yet, but when available it will prompt for a Sun employee number and the corresponding password. If these match, the password will be discarded and the Sun employee ID will be saved read-only in the OpenSolaris.org account. 3. Set language when not logged in You can specify preferred language via browser preferences, or in your account settings. A mechanism will also be provided to allow you to specify the preferred language for anonymous browsing on a per-visit basis. Pages and processes =================== Registration ------------ http://auth.opensolaris.org/auth/edit.action 1. Account details are entered and the CAPTCHA is answered. If successful a confirmation email is sent to the registered address. 2. The account is initially in 'confirm email' mode, and logins are disabled. 3. The confirmation email contains a validation link. When this is visited, the account is activated. 4. The token has a validity of 15 minutes. If it expires before the account is confirmed, the "Email reset" process must be used to generate another token. This timeout is deliberately short for testing purposes. Login ----- http://auth.opensolaris.org/auth/login.action 1. A valid username and password is required. 2. On successful login, a dummy home page is displayed. 3. Only 3 unsuccessful login attempts are allowed in any 5-minute period. 4. After 6 unsuccessful attempts the account is suspended, the account owner is notified and provided with a password reset token. Account edit ------------ http://auth.opensolaris.org/auth/edit.action 1. You need to be logged in to edit an account. 2. All account edits need confirmation with the current password. If the password is entered incorrectly 3 times, the account is locked and the owner notified. 3. If the email address is changed, the account is put into "confirm email" state and a confirmation token sent to the member. SSH key edit ------------ http://auth.opensolaris.org/auth/keys.action 1. You need to be logged in to edit an account. 2. Keys may be uploaded from disk. Keys are validated before being accepted. 3. Addition of a new key requires the current password confirmation, deletion does not require password confirmation. 4. If the wrong password is supplied 3 times, the account will be locked. Password reset -------------- http://auth.opensolaris.org/auth/resetPassword.action 1. A password reset token may be generated by entering either a member name or an email, and answering a CAPTCHA. The token is sent to the registered email address. 2. The token has a 15 minute validity (for testing purposes). The user must supply the answers to the 2 preregistered security questions to reset the password. Only 3 attempts to change the password are allowed before the account is locked. 3. If the password is successfully changed, a notification email is sent to the registered email address. Email reset ----------- http://auth.opensolaris.org/auth/resetPassword.action 1. A member name and password is supplied, along with a new email address and the answer to a CAPTCHA. 2. If the member name and password are valid, the email is changed, the account is put into the "confirm email" state and a confirmation token is sent to the user. The token has a validity of 15 minutes, for testing purposes. 3. When the token is clicked, the email is confirmed and the account is activated. 4. Only 3 tokens may be requested before the account is locked. Please let me know if you find any problems, or have any questions. Thanks, -- Alan Burlison -- _______________________________________________ website-discuss mailing list [email protected]
