Feature: Case Insensitive Login Username #484
Comments
b-twis
changed the title
b-twis
changed the title
|
Hey, that is done so by design, inspired in *nix systems that every object (user, directories, etc) is case sensitive which indeed improves the security. I think that logins from LDAP could be managed in a insensitive way, so it wouldn't generate new DB users. You should not be worried about the encryption, because the same master key is used by every user. More info on: https://doc.syspass.org/en/application/encryption.html Regards |
|
Understood. Not a major issue was just surprised when it asked for the master password when I have just logged in 5 mins before. |
* [FIX] Fixes #484. LDAP logins will be case-insensitive. Thanks to @basil-twisleton
|
I still get 'Your Previous password is required'. |
|
Right, because the encrypted master key is generated using the username, password and a hash, so if the username case mismatch, it would require the master key because it won't be able to decrypt it with provided credentials. You may be asking yourself why not to use always the same case, and the answer is, because it would generate low complexity encryption keys, so it's advisable so deal with case sensitive usernames... Be aware that the encrypted master key is as secure as the key used for encryption, although the encryption library uses an intermediate key, it's protected by some user data like told above, so this data need to be the more complex you can. |
|
ok, I understand that, I was just confused as it was labeled as 'Fixed' but still prompts for previous/master passwords. Does that mean that case-insensitivity will not be supported? |
|
It's supported indeed, because it would let log in with mixed case usernames, BUT, the master key would need to be reentered because the explained above. |
|
I have tried this with user F.name and the first screen says 'Enter previous password' I am not sure which previous password it is asking, but after entering anything (current/previous/nothing etc) and clicking next it prompts that the 'wrong master password was entered'. I then entered the correct Master password which worked. But now when I log in with f.name it prompts again for the master password. If this is the case then I guess that case insensitivity is not really gonna work out. |
|
When sysPass checks the master key decryption, it throws an error if it does not match. It could say "please give me the master key" but it's quite polite and says "please give me your previous password", because it will try first to decrypt using the most recent user's password besides the current one: This is the piece of code that was triggered when decryption failed: Regarding the case insensitivity, it really works, but since the username is used for encrypting the master key, it will require the master key because it's unable to decrypt with the provided data. The fact that works is that it does not say "Wrong login" and asks for the master key instead. Hope I have explained it well :) |
|
Yeah I understand how it is implemented, and as a Software Developer I also understand that it technically is working as no error is generated. However, I guess in this instance as a user my definition of 'working' is different.... It may actually be better to return 'Bad Login' as it is not clear Especially from my use case of accessing from a phone where it auto capilatised the first letter. |
|
Please, don't misunderstood my words, I know it's a hassle from the user point of view because it will require to enter the master key again... I would like to do it seamless, but in order to improve the security, transforming the username to upper or lower case would be more insecure. I will think about how to display more friendly messages for better understanding. Kind regards. |
|
Yeah I understand that, but the purpose of the master key is to be secret and secure. As I said, clearer messages would probably solve this nicely. |
|
Right, I'm working on better messages and a seamless user login to avoid that behaviour. You could use a temporary master key instead (right it's a hassle, but would solve some issues) |
Hey,
In Version 2.1 it appears that usernames are case sensitive. Is this by design?
I have a LDAP linked user account and logged in the first time with user.account.
When logging in with User.account it prompts for the Previous/Master password.
From what I understand LDAP is case-aware but not case-sensitive so both variations should work.
Would this create a new account, or re-encrypt the passwords using the new account name with case sensitivity?
Thanks,
Basil
The text was updated successfully, but these errors were encountered: