|
|
| Author |
Message |
karlh
Joined: 06 Mar 2002
Posts: 37
Location: Reykjavik, Iceland
|
 Posted: Thu May 30, 2002 8:16 pm Post subject: Edit User Account Form |
 |
|
Hi.
I have been wondering a cool feature.
1. Adding an email function in the adduser form, after you submit a new user, cacti sends a user defined $form.php to the users @email with the url, username and password...
Pretty cool eyh ? ! ? ! ? 
Also...
2. Optional, i would like to see unencrypted passwords  Just a cosmetic thing, but if the submit form had a resend button or a "Forgot your password ?" function it would be nice |
|
| Back to top |
|
 |
raX
Lead Developer
Joined: 13 Oct 2001
Posts: 2235
Location: Carlisle, PA
|
| Posted: Mon Jun 03, 2002 8:20 am Post subject: |
|
|
These sound like some pretty cool features for having users log in and check their graphs. I could probably use more ideas like this for 0.8 since this is yet another area that could use improvement. I think having an e-mail generated to the user would be a very useful addition, and sounds quite feasible and easy to impliment. About the unencrypted passwords, perhaps this could be an option because most users would not want this. I will have to consider what options we have for that.
-Ian |
|
| Back to top |
|
|
robsweet
Joined: 22 Mar 2002
Posts: 35
Location: Atlanta, GA
|
| Posted: Mon Jun 03, 2002 11:31 am Post subject: |
|
|
I'm not completely opposed to it but why would you want unencrypted passwords?
Also, regarding the email, you DO NOT email passwords - ever. Not even as an option. I've got no problem with a 'welcome' email with the username and URL but if you want to email the password, I'd rather you do it manually. One of the goals of Cacti is to make it feasible for larger organizations to consider using the system. I know several security people at various companies who would not endorse any system that even made it easy to email passwords, let alone did it by default. As you can tell, I'm completely against it.
My two bits.
Rob. |
|
| Back to top |
|
|
karlh
Joined: 06 Mar 2002
Posts: 37
Location: Reykjavik, Iceland
|
| Posted: Thu Jun 06, 2002 5:58 pm Post subject: Sending password via email |
|
|
Hi rob.
The point is the force change password feature. You email the password, and when the user logs in it will change.... Its not a big deal, i mean its only graphs here via web interface... So i dont understand the paranoiia. I have clients in thousands, and i want to use a easy interface like cacti. So this helps alot in the user management fields. Also the unencrypted password is mainly for management functions that allows an operator to view the users passwords if they forget or are having problems logging in. |
|
| Back to top |
|
|
robsweet
Joined: 22 Mar 2002
Posts: 35
Location: Atlanta, GA
|
| Posted: Thu Jun 06, 2002 7:12 pm Post subject: |
|
|
"So i dont understand the paranoiia." - Ask you company's security team. If you don't have one, ask somebody else's. A little paranoia is healthy, a lot is, well, paranoid.
If you send a one-time password to a customer and he's on vacation for a month, you give a potential hacker a one month window during which he can use the password and change it to whatever he wants. The real user comes back, complains, gets emailed a new password, and the hacker just picks it up again.
This is an old debate. I've been converted by security folks who have shown me just how easy it really is to compromise poorly protected systems. If somebody gets a valid password, maybe they'll also know about a bug in Cacti or some other web-based service running on that box. Before you know it the box is owned. Do you care? Maybe it's just a web server in front of the firewall. Even if that's the case, it's a pain to nuke and pave a production server - especially if you want to do it without customer-affecting downtime. This is a worst-case scenario, I agree, but is it really worth the risk?
Why does an Op need to see the passwords? If a user has password trouble, they call. If they're on the phone, the Op resets the password to something else and tells the user, "This is your new password."
My feeling (and Ian and I have *not* discussed it so I have no idea what he thinks or what "official" Cacti policy will end up being) is that if you want that kind of insecurity, you're welcome to hack it into your own copy of Cacti but I don't want to build that in and make it easy for Cacti to be a possible security risk.
My two bits.
Rob. |
|
| Back to top |
|
|
eyechart
Joined: 25 Apr 2002
Posts: 49
|
| Posted: Fri Jun 07, 2002 2:31 pm Post subject: who cares |
|
|
like someone said before, this is only statistical data being graphed here. If you have set up your community correct in SNMP and you have configured the user that cacti executes scripts under then you should be fine.
btw, cacti doesn't use HTTPS so communication to and from the website is in the clear. If you are paranoid about security, then that is a much bigger problem than emailing a one time use password.
-ec |
|
| Back to top |
|
|
icetrain
Joined: 06 Jun 2002
Posts: 6
Location: Sweden
|
| Posted: Fri Jun 07, 2002 3:15 pm Post subject: |
|
|
Statistical data can be quite sensitive data sometimes...
Even if the data is not sensitive and you have several customers using the system and one of them decides he wants to look at some other customers graphs. He gets ahold of a password and logs in on another customers account, how do you explain this to that customer? "It's only graphs so we don't care about security", I bet that meeting would take a wild turn 
As for https, it isn't a feature of cacti but rather the webserver so I dont think you could say that it's a security problem in cacti, but it's good to point it out since i guess not everyone knows this.
/Christian |
|
| Back to top |
|
|
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
