[pmwiki-users] questions about user authentication
Patrick R. Michaud
pmichaud at pobox.com
Wed Apr 13 08:47:45 CDT 2005
On Wed, Apr 13, 2005 at 02:15:47PM +0200, Joachim Durchholz wrote:
> >Q2: What sorts of features are needed for users who have forgotten
> >their passwords?
> A "mail-me-a-new-password" feature.
> (Don't mail existing passwords. Some users have a single password for
> everything, from POP retrieval to on-line banking. That's also the
> reason why passwords shouldn't be stored in the clear.)
PmWiki has never stored any of its passwords in the clear.
The feature will likely be "mail me a link that lets me set a new
password for a short period of time".
> >Q3: Is there anyone who has an immediate need/use for authenticating
> >via an LDAP or Active Directory Server? (If so, is there an LDAP or
> >AD server somewhere that I could test against?)
> Not me.
> I already mentioned I'd like to use PAM :-)
Do you want to use PAM in the sense of authorizing against the
user accounts already on the system (which PAM supports) or
some arbitrary database of passwords (which PAM doesn't support)?
If the former, that's very easy for me to add -- I'll probably code
it up today.
> A HTTP interface to any of these authorisation mechanisms would be
> helpful, but I'd first turn to webmin instead of PmWiki. If would be a
> waste not to take advantage of their accumulated server management and
> security expertise :-)
Yeah, the webmin-based solution ends up being the same as the PAM
one. I'll code it up. One downside of this approach is that
(currently) passwords would often be sent across the wires in
cleartext, which is bad for passwords that are also system logins.
We'd have to add a mechanism to allow PmWiki's passwords to be sent
via a secure connection, which PmWiki doesn't currently have but
can probably be added w/o too much trouble.
More information about the pmwiki-users