From mboxrd@z Thu Jan 1 00:00:00 1970 From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1613739696; bh=CNFeQWb64FDPS8hZwEAy27qwHAwasoDLCnuMxPmefv8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=QXzv6EPsdyC1N+2/gWHoiWmYJsmdzg4heXrtco7wLBhALJxvbBKvQHm4tjDAImXP6 d5i+Au/g7oyVo7wUbdlrAnJk+UNmcMaN2G2y6ups7cBtGcrKpqMa5wSji9E//8Olo1 AzJNh/zj55mdc9PHAYzm8ZdHUCAjQ6zE42b+QYGW4rpyPlwtveY+vNh3+HlvNP5Hfs tRg4JysJGxYZk4Jr916GLDuHahX97zf1Vkq9O083/pmri9YwRanJWw5GWIdqIItc8M Cj7KIkRcJ8AzU09jHn5LZfgaqIOy7vkScRwN1XvQK2F7/xUXiEuB/6jnURvEuPMDPU IOYYZo7VNJ6TQ== To: Juliusz Chroboczek In-Reply-To: <87lfbk6x6w.wl-jch@irif.fr> References: <878s7kl6zh.fsf@toke.dk> <8735xsl1mq.fsf@toke.dk> <87lfbk6x6w.wl-jch@irif.fr> Date: Fri, 19 Feb 2021 14:01:36 +0100 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <87zh00jjnz.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: M57DGG7TODOOFHFQBIDD4VGEF7SAJADU X-Message-ID-Hash: M57DGG7TODOOFHFQBIDD4VGEF7SAJADU X-MailFrom: toke@toke.dk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Michael =?utf-8?Q?Str=C3=B6der?= , galene@lists.galene.org X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: Is the passwd file still needed? List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Juliusz Chroboczek writes: >>>> With the new hashed-password syntax in group files, user credentials a= re >>>> stored in the JSON for each group. But there's still a mention of a >>>> passwd file in the README, but marked as 'optional' - is this still >>>> needed? > >>> AFAICS it's simply used to protect the /stats page (with HTTP basic aut= hc). > > Right. > >>>> And is there a way to specify hashed passwords in that file? > > This file's syntax is going to change, but I'm not quite sure how. Right > now, we're duplicating the same entry for a given user in all groups where > they have a username; it would be good to be able to say > > 1. user "toke", has default password "foo"; > 2. user "toke" is Op in group A with his default password; > 3. user "toke" is Presenter in group B with his default password; > 4. user "toke" is Op in this whole set of groups with his default passw= ord. > > One possible solution would be to store default passwords in the "passwd" > file, and use the default password in "password" is not present (as > opposed to being the empty string, which will have the same meaning as > actually). This doesn't solve point (4) above. Well personally I can live without (4). The obvious answer that comes to mind to implement it is user groups, though. So (video) groups could delegate the op priv to a (user) group (of admins, say), and you'd only need to add a user to that group. Alternatively, make it up to any third-party administration interface to provide the group abstraction and just keep the "list of users per (video) group" that exists now, but move the passwords to a central file. > Ideas welcome, even if they're not accompanied with patches. Please > recall that Gal=C3=A8ne is meant to be easy to install and have minimal > dependencies, so anything that relies on an external daemon (SQL) is > out of the question; on the other hand, I'm open to solutions that are > extensible to third-party authentication or delegation ("login with > github") as long as they remain optional. Well if you abstract out the password checking to a passwd file, it would be fairly straight forward to add additional callbacks there, no? I.e., Galene can ask third-party services to authenticate a user ID, with the passwd file being the default? This would likely also need a decoupling of user identifiers and display names, as external services can use arbitrary IDs (but commonly, that's just emails) that is not necessarily what users want to show up in the user list... -Toke