[website-discuss] Beta of new OSO registration & login application available for testing
Alan Burlison
Alan.Burlison at sun.com
Wed Aug 20 14:33:48 PDT 2008
I have put a new beta of the Auth application on
http://auth.opensolaris.org/auth This contains the new registration and
login pages which will in time replace the existing account management
pages on opensolaris,org.
I would like people to test the new version and provide feedback. At
the moment I am primarily concerned with functionality and not
appearance, the CSS will be changed before deployment to confirm with
the OSO L&F. I'm particularly interested to see if anyone can hack the
site and/or find any security flaws - for example can you add a bogus
SSH key to an account that you don't own - the 'admin' account would be
a good choice for any attacks.
Some notes
==========
Security
--------
The site is currently running under HTTP, when it is deployed it will be
running HTTPS, so eavesdropping on traffic between the browser and the
app won't be possible.
Confirmation emails
-------------------
At the moment, all emails are sent to auth-test at opensolaris.org
(http://mail.opensolaris.org/pipermail/auth-test), for testing purposes.
This means that you can enter a made-up email address, as long as it
is correctly formatted. This also means that all token and confirmation
emails are globally visible. When deployed this obviously won't be the
case, so an attacker would have to eavesdrop to obtain a copy of the mails.
Localization
------------
The application is internationalised. The preferred language can either
be specified via your browser preferences, or via the language option on
the account edit screen, with the account setting taking preference. At
present there are only translations for the test-only Esperanto and
Australian English languages.
What isn't there yet
--------------------
1. Member collective editing
The page which will allow you to select which collectives you wish to
participate in is not yet implemented.
2. Sunid confirmation
It is necessary to tie Sun employee's OpenSolaris.org accounts to their
Sun identity, so we know that they don't have to sign an individual SCA.
This isn't implemented yet, but when available it will prompt for a
Sun employee number and the corresponding password. If these match, the
password will be discarded and the Sun employee ID will be saved
read-only in the OpenSolaris.org account.
3. Set language when not logged in
You can specify preferred language via browser preferences, or in your
account settings. A mechanism will also be provided to allow you to
specify the preferred language for anonymous browsing on a per-visit basis.
Pages and processes
===================
Registration
------------
http://auth.opensolaris.org/auth/edit.action
1. Account details are entered and the CAPTCHA is answered. If
successful a confirmation email is sent to the registered address.
2. The account is initially in 'confirm email' mode, and logins are
disabled.
3. The confirmation email contains a validation link. When this is
visited, the account is activated.
4. The token has a validity of 15 minutes. If it expires before the
account is confirmed, the "Email reset" process must be used to generate
another token. This timeout is deliberately short for testing purposes.
Login
-----
http://auth.opensolaris.org/auth/login.action
1. A valid username and password is required.
2. On successful login, a dummy home page is displayed.
3. Only 3 unsuccessful login attempts are allowed in any 5-minute period.
4. After 6 unsuccessful attempts the account is suspended, the account
owner is notified and provided with a password reset token.
Account edit
------------
http://auth.opensolaris.org/auth/edit.action
1. You need to be logged in to edit an account.
2. All account edits need confirmation with the current password. If
the password is entered incorrectly 3 times, the account is locked and
the owner notified.
3. If the email address is changed, the account is put into "confirm
email" state and a confirmation token sent to the member.
SSH key edit
------------
http://auth.opensolaris.org/auth/keys.action
1. You need to be logged in to edit an account.
2. Keys may be uploaded from disk. Keys are validated before being
accepted.
3. Addition of a new key requires the current password confirmation,
deletion does not require password confirmation.
4. If the wrong password is supplied 3 times, the account will be locked.
Password reset
--------------
http://auth.opensolaris.org/auth/resetPassword.action
1. A password reset token may be generated by entering either a member
name or an email, and answering a CAPTCHA. The token is sent to the
registered email address.
2. The token has a 15 minute validity (for testing purposes). The user
must supply the answers to the 2 preregistered security questions to
reset the password. Only 3 attempts to change the password are allowed
before the account is locked.
3. If the password is successfully changed, a notification email is sent
to the registered email address.
Email reset
-----------
http://auth.opensolaris.org/auth/resetPassword.action
1. A member name and password is supplied, along with a new email
address and the answer to a CAPTCHA.
2. If the member name and password are valid, the email is changed, the
account is put into the "confirm email" state and a confirmation token
is sent to the user. The token has a validity of 15 minutes, for
testing purposes.
3. When the token is clicked, the email is confirmed and the account is
activated.
4. Only 3 tokens may be requested before the account is locked.
Please let me know if you find any problems, or have any questions.
Thanks,
--
Alan Burlison
--
More information about the website-discuss
mailing list