An odd request: login without a username/password

Added by Angelo Bertolli over 2 years ago

I would like to change the way Redmine is used by requiring users to provide an email address before accessing the system, but not username/password. Can anyone point me in the right direction to the places I'd have to edit to make this kind of a change?

Replies (8)

RE: An odd request: login without a username/password - Added by Jan Niggemann (redmine.org team member) over 2 years ago

Not possible IMHO...
Also, from a process POV this doesn't seem feasible: How would you know that the person providing the email address user@domain.com is really that user?
A malevolent user could sign in as user@domain.com and subscribe to forums or issues, thus cloaking the mailbox of user@domain.com, possibly even leading to regulatory issues with (foreign) laws...

RE: An odd request: login without a username/password - Added by David Gessel over 2 years ago

I may be reading this wrong, but my assumptions are:

- this request is not for redmine.org, but for a self-hosted redmine install
- the request is for by email access only, but it is an install with per-user identities.

And I believe the following is true:

- lots of people use redmine on LANs and I doubt there are any laws that require user/pass on a lan.
- redmine permits a "0" character length password already

I think the Angelo could probably just duplicate the email field to the username field (or vice versa) and set required password length to zero and achieve the desired result.

RE: An odd request: login without a username/password - Added by Angelo Bertolli over 2 years ago

Jan Niggemann (redmine.org team member) wrote:

How would you know that the person providing the email address user@domain.com is really that user?

Yep, it's definitely not a feature you'd want to be able to do as a normal part of the software. In our case, we're setting up a public site (read-only), but we have a requirement to "keep a list of users"

A malevolent user could sign in as user@domain.com and subscribe to forums or issues, thus cloaking the mailbox of user@domain.com, possibly even leading to regulatory issues with (foreign) laws...

Thank you for that point--I will add that to the list of issues we have with what we're trying to do.

RE: An odd request: login without a username/password - Added by Angelo Bertolli over 2 years ago

David Gessel wrote:

I may be reading this wrong, but my assumptions are:

- this request is not for redmine.org, but for a self-hosted redmine install

yes

- the request is for by email access only, but it is an install with per-user identities.

I'm not sure what you mean. But yes, we want to be able to have just a general idea of who the users are. But we want them to self-manage their entry, since we're actually not trying to restrict access to anything.

And I believe the following is true:

- lots of people use redmine on LANs and I doubt there are any laws that require user/pass on a lan.
- redmine permits a "0" character length password already

I think the Angelo could probably just duplicate the email field to the username field (or vice versa) and set required password length to zero and achieve the desired result.

Thanks for that suggestion, I will see how it goes.

In the end, we may just have to adjust the requirements for what we're trying to do--it may simply not be a good idea.

RE: An odd request: login without a username/password - Added by Jan Niggemann (redmine.org team member) over 2 years ago

David Gessel wrote:

- this request is not for redmine.org, but for a self-hosted redmine install

I didn't think that it was related to redmine org, but IMHO you would not want this on your own install either.

I think the Angelo could probably just duplicate the email field to the username field (or vice versa) and set required password length to zero and achieve the desired result.

Anyone could login as another user, provided he / she knows the appropriate email address. This makes impersonation attacks, a form of social engineering, all too easy.
Impersonation attacks may be the worst of all in relation to the damage that can be done to individuals, I'll give you a simple example:
I could login as "David Gessel" (your email address is publicly available) and then write about how I dislike that bit*h that got promoted to CxO and that the only reason she got promoted was her unprofessional relation to the chairman of the board and ...
Even if you'd not be fired some hours later, your reputation would have been so severely damaged that no one in the company would ever trust you again.

I doubt there are any laws that require user/pass on a lan.

True, but imagine the trouble you'd be in if the CxO from my example sued you for libel. A cease and desist order, a lawsuit, you'd have to find and pay a lawyer...

Imagine another example. Your wife works in the same place as you and suddenly reads something that a co-worker posted. That co-worker seems to have confused her email client and the redmine board!
Your wife reads what she thinks is another woman relating to how you were great, kinky and wild in that hotel room the other night.
Now ask yourself: Would that be easy to explain? To your wife? To your family, co-workers, whoever?

Of course, it all depends on the usecase and while there may be legitimate cases for not having passwords, the security of your company and users should never ever be at stake.

RE: An odd request: login without a username/password - Added by David Gessel over 2 years ago

Your concerns are legitimate in a public-facing installation, but less so in a private-facing one. The confused email example seems a little far fetched, though "reply all" errors are pretty common. Perhaps not quite as common or hilarious as mixing up the search bar and the post bar on facebook, but still a great source of LOLZ. Obviously, IP access is logged and there are standard forensic tools to determine culpability in the first example. Someone attempting to impersonate a person internally in such a scenario would, typically, face serious consequences including felony charges (in the US) for improper access to a computer system. Violating a trivial security measure is as illegal as complex one.

Still, it is important from a security perspective to remember that a user/pass combination merely raises the bar for unauthorized access and, at the same time, raises the bar for the difficulty in disavowing unauthorized abuse as outlined above.

Myself, when I want to make a public-facing redmine installation secure, I only accept client-certificate login (there's a plugin that makes it a little easier to get to the redmine account pulling the common name off the certificate, but this still isn't quite as easy as it should be). I might be willing to consider a properly configured two factor authentication scheme under some circumstances, but those are limited. User/Pass is just trivial security, even with "complex" password rules. Humans have a limited semantic scope and the mnemonic combinatorial space is trivial for brute force attacks, if some other easier crack isn't available. I never trust passwords, not even my own. And I never trust a password protected, web-accessible data store with important information. Nobody secures SSH with user/pass any more - it is always with client certificate-only. That this hasn't become standard practice for HTTPS access is a bit of an annoyance.

On the other hand, I don't really trust any web-accessible data store of any sort: they're all insecure and can never be made secure as every Turing complete machine is provably insecure.

(Security note: one meaningful security tool is to acquire and maintain currently circulating password lists -- these run in the 10's of GB -- and checking user passwords against such lists and blocking any one that appears, along with any trivial 31337-style mutation of any of them: helps block script-kiddy access.)

So, while I agree that disabling user/pass makes an install less secure, that appears to be part of the intent of the OP - compromising security for convenience. It is a finely quantized continuum between anonymous access to as secure as anyone knows how to make it and generally with hassle factor directly proportional to security.

I agree the OP should heed the concerns you just raised, such risks may have been a reasonable part of the calculus, but if they're not considered they can be a nasty surprise.

RE: An odd request: login without a username/password - Added by Angelo Bertolli over 2 years ago

Thanks to both of you. I think one of the issues we have is really don't want to authenticate anyone. However at the same time, we want to be able to contact users in case the site goes down--so we do want the emails.

RE: An odd request: login without a username/password - Added by Jan Niggemann (redmine.org team member) over 2 years ago

David Gessel wrote:

...

We share the same mindset on these issues :-)

(1-8/8)