Hi.
I have been wondering a cool feature.
1. Adding an email function in the adduser form, after you submit a new user, cacti sends a user defined $form.php to the users @email with the url, username and password...
Pretty cool eyh ? ! ? ! ?
Also...
2. Optional, i would like to see unencrypted passwords Just a cosmetic thing, but if the submit form had a resend button or a "Forgot your password ?" function it would be nice
Edit User Account Form
Moderators: Developers, Moderators
Edit User Account Form
Best regards
Karl Heidar
Karl Heidar
These sound like some pretty cool features for having users log in and check their graphs. I could probably use more ideas like this for 0.8 since this is yet another area that could use improvement. I think having an e-mail generated to the user would be a very useful addition, and sounds quite feasible and easy to impliment. About the unencrypted passwords, perhaps this could be an option because most users would not want this. I will have to consider what options we have for that.
-Ian
-Ian
I'm not completely opposed to it but why would you want unencrypted passwords?
Also, regarding the email, you DO NOT email passwords - ever. Not even as an option. I've got no problem with a 'welcome' email with the username and URL but if you want to email the password, I'd rather you do it manually. One of the goals of Cacti is to make it feasible for larger organizations to consider using the system. I know several security people at various companies who would not endorse any system that even made it easy to email passwords, let alone did it by default. As you can tell, I'm completely against it.
My two bits.
Rob.
Also, regarding the email, you DO NOT email passwords - ever. Not even as an option. I've got no problem with a 'welcome' email with the username and URL but if you want to email the password, I'd rather you do it manually. One of the goals of Cacti is to make it feasible for larger organizations to consider using the system. I know several security people at various companies who would not endorse any system that even made it easy to email passwords, let alone did it by default. As you can tell, I'm completely against it.
My two bits.
Rob.
Sending password via email
Hi rob.
The point is the force change password feature. You email the password, and when the user logs in it will change.... Its not a big deal, i mean its only graphs here via web interface... So i dont understand the paranoiia. I have clients in thousands, and i want to use a easy interface like cacti. So this helps alot in the user management fields. Also the unencrypted password is mainly for management functions that allows an operator to view the users passwords if they forget or are having problems logging in.
The point is the force change password feature. You email the password, and when the user logs in it will change.... Its not a big deal, i mean its only graphs here via web interface... So i dont understand the paranoiia. I have clients in thousands, and i want to use a easy interface like cacti. So this helps alot in the user management fields. Also the unencrypted password is mainly for management functions that allows an operator to view the users passwords if they forget or are having problems logging in.
Best regards
Karl Heidar
Karl Heidar
"So i dont understand the paranoiia." - Ask you company's security team. If you don't have one, ask somebody else's. A little paranoia is healthy, a lot is, well, paranoid.
If you send a one-time password to a customer and he's on vacation for a month, you give a potential hacker a one month window during which he can use the password and change it to whatever he wants. The real user comes back, complains, gets emailed a new password, and the hacker just picks it up again.
This is an old debate. I've been converted by security folks who have shown me just how easy it really is to compromise poorly protected systems. If somebody gets a valid password, maybe they'll also know about a bug in Cacti or some other web-based service running on that box. Before you know it the box is owned. Do you care? Maybe it's just a web server in front of the firewall. Even if that's the case, it's a pain to nuke and pave a production server - especially if you want to do it without customer-affecting downtime. This is a worst-case scenario, I agree, but is it really worth the risk?
Why does an Op need to see the passwords? If a user has password trouble, they call. If they're on the phone, the Op resets the password to something else and tells the user, "This is your new password."
My feeling (and Ian and I have *not* discussed it so I have no idea what he thinks or what "official" Cacti policy will end up being) is that if you want that kind of insecurity, you're welcome to hack it into your own copy of Cacti but I don't want to build that in and make it easy for Cacti to be a possible security risk.
My two bits.
Rob.
If you send a one-time password to a customer and he's on vacation for a month, you give a potential hacker a one month window during which he can use the password and change it to whatever he wants. The real user comes back, complains, gets emailed a new password, and the hacker just picks it up again.
This is an old debate. I've been converted by security folks who have shown me just how easy it really is to compromise poorly protected systems. If somebody gets a valid password, maybe they'll also know about a bug in Cacti or some other web-based service running on that box. Before you know it the box is owned. Do you care? Maybe it's just a web server in front of the firewall. Even if that's the case, it's a pain to nuke and pave a production server - especially if you want to do it without customer-affecting downtime. This is a worst-case scenario, I agree, but is it really worth the risk?
Why does an Op need to see the passwords? If a user has password trouble, they call. If they're on the phone, the Op resets the password to something else and tells the user, "This is your new password."
My feeling (and Ian and I have *not* discussed it so I have no idea what he thinks or what "official" Cacti policy will end up being) is that if you want that kind of insecurity, you're welcome to hack it into your own copy of Cacti but I don't want to build that in and make it easy for Cacti to be a possible security risk.
My two bits.
Rob.
who cares
like someone said before, this is only statistical data being graphed here. If you have set up your community correct in SNMP and you have configured the user that cacti executes scripts under then you should be fine.
btw, cacti doesn't use HTTPS so communication to and from the website is in the clear. If you are paranoid about security, then that is a much bigger problem than emailing a one time use password.
-ec
btw, cacti doesn't use HTTPS so communication to and from the website is in the clear. If you are paranoid about security, then that is a much bigger problem than emailing a one time use password.
-ec
Statistical data can be quite sensitive data sometimes...
Even if the data is not sensitive and you have several customers using the system and one of them decides he wants to look at some other customers graphs. He gets ahold of a password and logs in on another customers account, how do you explain this to that customer? "It's only graphs so we don't care about security", I bet that meeting would take a wild turn
As for https, it isn't a feature of cacti but rather the webserver so I dont think you could say that it's a security problem in cacti, but it's good to point it out since i guess not everyone knows this.
/Christian
Even if the data is not sensitive and you have several customers using the system and one of them decides he wants to look at some other customers graphs. He gets ahold of a password and logs in on another customers account, how do you explain this to that customer? "It's only graphs so we don't care about security", I bet that meeting would take a wild turn
As for https, it isn't a feature of cacti but rather the webserver so I dont think you could say that it's a security problem in cacti, but it's good to point it out since i guess not everyone knows this.
/Christian
Who is online
Users browsing this forum: No registered users and 2 guests