On Wed, 20 Aug 2008, Alan Burlison wrote: > I have put a new beta of the Auth application on > http://auth.opensolaris.org/auth This contains the new registration and > login pages which will in time replace the existing account management > pages on opensolaris,org. > > I would like people to test the new version and provide feedback. At > the moment I am primarily concerned with functionality and not > appearance, the CSS will be changed before deployment to confirm with > the OSO L&F. I'm particularly interested to see if anyone can hack the > site and/or find any security flaws - for example can you add a bogus > SSH key to an account that you don't own - the 'admin' account would be > a good choice for any attacks. > > Some notes > ========== > > Security > -------- > > The site is currently running under HTTP, when it is deployed it will be > running HTTPS, so eavesdropping on traffic between the browser and the > app won't be possible.
Which lends credance to the "have fun but don't use real data" argument of the Confirmation Emails details :) > > Confirmation emails > ------------------- > > At the moment, all emails are sent to auth-test at opensolaris.org > (http://mail.opensolaris.org/pipermail/auth-test), for testing purposes. > This means that you can enter a made-up email address, as long as it > is correctly formatted. This also means that all token and confirmation > emails are globally visible. When deployed this obviously won't be the > case, so an attacker would have to eavesdrop to obtain a copy of the mails. > > Localization > ------------ > > The application is internationalised. The preferred language can either > be specified via your browser preferences, or via the language option on > the account edit screen, with the account setting taking preference. At > present there are only translations for the test-only Esperanto and > Australian English languages. > > What isn't there yet > -------------------- > > 1. Member collective editing > > The page which will allow you to select which collectives you wish to > participate in is not yet implemented. > > 2. Sunid confirmation > > It is necessary to tie Sun employee's OpenSolaris.org accounts to their > Sun identity, so we know that they don't have to sign an individual SCA. > This isn't implemented yet, but when available it will prompt for a > Sun employee number and the corresponding password. If these match, the > password will be discarded and the Sun employee ID will be saved > read-only in the OpenSolaris.org account. Do you mean the LDAP password? Where will this verification occur? I don't think we should have LDAP passwords outside of SWAN for any reason. The sunID confirmation could instead be something that is internal that feeds *out* to opensolaris.org (say, once a day) Thanks, Valerie -- Valerie Fenwick, http://blogs.sun.com/bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025.
