User creation with password #437

djach7 · 2023-03-02T21:05:05Z

This pr attempts to implement the creation of a user and password when onboarding a device, using a username and password provided within the serviceinfo_api_server.yml config.

closes #321

This is a draft, current known issues include:

Password encryption on on user creation
Confirming sshkey creation still functional
Confirming edge case functionality

miabbott · 2023-03-02T21:43:19Z

Could you use a Rust crate to handle the password hashing instead of shelling out to openssl?

https://docs.rs/password-hash/latest/password_hash/

https://docs.rs/bcrypt/latest/bcrypt/

miabbott · 2023-03-02T21:47:53Z

Also we should be defaulting to SHA512 for the algorithm; MD5 is considered insecure these days.

https://access.redhat.com/articles/880733

client-linuxapp/src/serviceinfo.rs

nullr0ute · 2023-03-03T08:41:47Z

Could you use a Rust crate to handle the password hashing instead of shelling out to openssl?

Or using a function in the openssl crate.

client-linuxapp/src/serviceinfo.rs

sarmahaj · 2023-03-03T10:05:38Z

are we not contradicting to FIDO policy of "password less" logins by providing a way to set password for initial user ?
I think we should prefer sshkey rather than password for at least initial user which is for first boot/onboarding. As I recall we did this because for local user it asks for password .

say-paul · 2023-03-03T10:10:20Z

An general thought on having the plain text password in .yaml which may raise some eyebrows.We can force user to put the encrypted password in the file as its done with the useradd command , advantage is 1. simplify the implementation , 2. security.

say-paul · 2023-03-03T10:21:20Z

are we not contradicting to FIDO policy of "password less" logins by providing a way to set password for initial user ? I think we should prefer sshkey rather than password for at least initial user which is for first boot/onboarding. As I recall we did this because for local user it asks for password .

the ssh_key feature already exists, this added feature is for any user who requires password to be set also.

client-linuxapp/src/serviceinfo.rs

djach7 · 2023-03-03T14:12:50Z

Thank you all for the comments/ideas, I'm going to try to understand the openssl crate and I'll make the other changes above too.

client-linuxapp/src/serviceinfo.rs

7flying · 2023-06-13T07:13:09Z

There are some changes made into the serviceinfo-api-server, owner-onboarding-server and client-linuxapp on the chore(integration-tests) commit that are not tests, I would like those changes to be moved to the implementation commit.

Other than that, we are not testing that you can add more than one ssh key per user, but we can add that as a follow-up PR.

So, feel free to mark the PR as ready

nullr0ute · 2023-06-13T08:33:55Z

Other than that, we are not testing that you can add more than one ssh key per user, but we can add that as a follow-up PR.

Can we ensure an issue is created so that isn't lost.

7flying · 2023-06-13T09:09:00Z

Other than that, we are not testing that you can add more than one ssh key per user, but we can add that as a follow-up PR.

Can we ensure an issue is created so that isn't lost.

Yep, linking the issue here for future reference #507

client-linuxapp/src/serviceinfo.rs

7flying

Everything looks good, thank you!

Allows users to create a password for login when onboarding a device. These passwords are optional and should be provided within the 'serviceinfo_api_server.yml' config file. A user's password will be encrypted via SHA-256 if it is not already encrypted when provided to the config. Signed-off-by: djach7 <djachimo@redhat.com>

Signed-off-by: djach7 <djachimo@redhat.com>

7flying reviewed Mar 3, 2023

View reviewed changes