Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include tool to add users to htpasswd file offline. #9

Open
mx-moth opened this issue Feb 16, 2015 · 3 comments
Open

Include tool to add users to htpasswd file offline. #9

mx-moth opened this issue Feb 16, 2015 · 3 comments

Comments

@mx-moth
Copy link

mx-moth commented Feb 16, 2015

Currently, to add a user to a private sinopia registry, user registrations must be opened to the world. The user should then sign up, and registrations be locked down again.

This is insecure, as an attacker could sign up in the brief time that the real user is creating their account. Additionally, this method requires restarting the sinopia server twice, which is not great if it is in continuous use.

An alternative is to offer a command line tool that adds a user to a htpasswd file that administrators can run on the server itself. Because this does not open registrations to anyone who does not already have SSH access to the box, this is secure.

I have written a tool (https://bitbucket.org/takeflight/sinopia-aduser) which does exactly this. If you're interested, I can create a pull request that adds this functionality to this package, or you could use the code for inspiration if you implement this yourself.
@rlidwka
Copy link
Owner

rlidwka commented Feb 18, 2015

Adding users manually is insecure, because system administrator will know the password user will be logging in with. And I think it is much worse than having registrations opened.

In fact, I don't see how an attacker will benefit from registering at all. This is standard procedure we use to add new developers:

  1. We ask them to register on the server using npm adduser --reg http://.../
  2. After they do this, we ask for their username and exact time when they registered to verify. Check that and add them to an appropriate usergroup.

This way even if someone registers on the servers, she will not have an access to any repos.

That said, if you want to create a PR for such CLI tool, I'll accept it.

PS: you can already add new users manually with this command (I'll add that to readme):

$ echo "user:`mkpasswd --method=sha-512 password`" >> htpasswd

rlidwka added a commit that referenced this issue Feb 18, 2015
@rlidwka
clarify htpasswd format
b18eec5 
close #8, ref #9
@mx-moth
Copy link
Author

mx-moth commented Feb 18, 2015

The user is prompted to enter their password if their password is not provided on the command line, so the password input can still be secure. I'll make this in to a pull request in the next few days and send it your way. The example line you gave above would also be very useful in the docs, as well as a note saying that the standard htpasswd executable from Apache is not compatible with the htpasswd file for sinopia. That caused some confusion!

@rlidwka
Copy link
Owner

rlidwka commented Feb 19, 2015

the standard htpasswd executable from Apache is not compatible with the htpasswd file for sinopia

Maybe we can make it compatible with for example apache-md5 module. I'll check that out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mx-moth @rlidwka