auth issueshttps://git.autistici.org/id/auth/-/issues2022-02-05T15:41:23Zhttps://git.autistici.org/id/auth/-/issues/16Provide defaults for webauthn configuration2022-02-05T15:41:23ZaleProvide defaults for webauthn configurationRight now if you start the server out of the Debian package it'll fail:
> Configuration error: Missing RPDisplayName
(or RPID, etc.). It would be better to give some defaults to the webauthn parameters, which might not result in correc...Right now if you start the server out of the Debian package it'll fail:
> Configuration error: Missing RPDisplayName
(or RPID, etc.). It would be better to give some defaults to the webauthn parameters, which might not result in correct WebAuthN operation, but at least would allow the daemon to start.https://git.autistici.org/id/auth/-/issues/14Export authentication method in logs and metrics2021-12-06T14:35:50ZaleExport authentication method in logs and metricsMethod is one of "password", "otp", "webauthn" etc. etc.Method is one of "password", "otp", "webauthn" etc. etc.https://git.autistici.org/id/auth/-/issues/12WebAuthN support2021-12-06T19:57:53ZaleWebAuthN supportThe current U2F implementation will eventually become obsolete, we need to support WebAuthN/FIDO/etc. Unfortunately this requires finding another library to deal with the primitives other than github.com/tstranex/u2f, and it will have to...The current U2F implementation will eventually become obsolete, we need to support WebAuthN/FIDO/etc. Unfortunately this requires finding another library to deal with the primitives other than github.com/tstranex/u2f, and it will have to support **both** U2F and WebAuthN.
This issue tracks implementation across all the components of the stack:
* [x] ai3/go-common for the U2FRegistration type (ai3/go-common!32)
* [x] id/auth for the server-side login workflow (id/auth!34)
* [x] id/sso-server for the client-side login workflow (id/sso-server!8)
* [x] ai3/pannello for the registration workflow (ai3/pannello!51)
* [x] ai3/accountserver (ai3/accountserver!42)https://git.autistici.org/id/auth/-/issues/11Incompatibility with pamu2fcfg output2021-12-06T13:55:45ZaleIncompatibility with pamu2fcfg outputThe latest versions of pamu2fcfg (surely version 1.1.0) not only produce base64-encoded output, but the public_key field is now 64 bytes instead of 65.The latest versions of pamu2fcfg (surely version 1.1.0) not only produce base64-encoded output, but the public_key field is now 64 bytes instead of 65.https://git.autistici.org/id/auth/-/issues/10acmeserver force cert regeneration at runtime2019-06-09T15:36:50Zgodogacmeserver force cert regeneration at runtimewhile acmeserver is running it'd be nice to have a way to force trying to renew a certificatewhile acmeserver is running it'd be nice to have a way to force trying to renew a certificatehttps://git.autistici.org/id/auth/-/issues/9TCP socket support2021-01-14T15:18:19ZaleTCP socket supportUsing UNIX sockets solves nicely the access control issue, but it limits the deployment strategies (can't do remote fallback, for one), and it is mostly useless in a container context (it will lead to deploying the auth-server as a *side...Using UNIX sockets solves nicely the access control issue, but it limits the deployment strategies (can't do remote fallback, for one), and it is mostly useless in a container context (it will lead to deploying the auth-server as a *sidecar*).
It would be nice to offer TCP support (with TLS for client authentication). This would be easy on the server side, whether we let systemd manage the socket or run standalone, but most of the work would be on the client side (so mostly the C PAM module), requiring target selection and some sort of load balancing strategy: there isn't much point in supporting TCP connections unless we also support multiple targets and fallbacks.https://git.autistici.org/id/auth/-/issues/7Improve storage of U2F registrations2019-03-21T22:49:00ZaleImprove storage of U2F registrationsIf I understand correctly how this works:
* we currently store the entire serialized U2F registration in the database, this includes the key handle, the public key, and the attestation certificate
* the attestation cert is only used at ...If I understand correctly how this works:
* we currently store the entire serialized U2F registration in the database, this includes the key handle, the public key, and the attestation certificate
* the attestation cert is only used at registration time, but not for validation, so we may not need to store it
* unfortunately the Go library we use to manipulate registrations can only deserialize the full U2F registration (via its Unmarshal method)
what we could do to improve the situation:
* [x] define our own format for storing U2F registrations in the database with just key handle and public key (as we did for app-specific passwords)
* [x] write our own code (likely in ai3/go-common) to deserialize it into an u2f.Registration
* [x] ensure the Python code for U2F registration in ai3/pannello is updated toohttps://git.autistici.org/id/auth/-/issues/6Modular configuration2019-02-09T07:19:50ZaleModular configurationThe configuration subsystem should be redesigned to let the configuration be split into multiple files. This would allow drop-in configuration of backends and services: Ansible roles can simply drop in their service config into the right...The configuration subsystem should be redesigned to let the configuration be split into multiple files. This would allow drop-in configuration of backends and services: Ansible roles can simply drop in their service config into the right place.https://git.autistici.org/id/auth/-/issues/5Implement last login logging2019-02-10T10:50:29ZaleImplement last login loggingIt would be nice to have a fast mechanism to store last login timestamps, either write it directly to the database or go through some proxying service (to reduce write load on the db, last login timestamps only need to be eventually cons...It would be nice to have a fast mechanism to store last login timestamps, either write it directly to the database or go through some proxying service (to reduce write load on the db, last login timestamps only need to be eventually consistent).shammashshammashhttps://git.autistici.org/id/auth/-/issues/4Add replay protection to TOTP tokens2018-10-19T18:24:35ZaleAdd replay protection to TOTP tokensRequired for a serious otp implementation.Required for a serious otp implementation.https://git.autistici.org/id/auth/-/issues/3Implement device info database and anomaly detection2019-02-09T07:21:50ZaleImplement device info database and anomaly detectionWe need to store the most recently seen DeviceInfo objects for every user, and implement anomaly detection behavior based on that. The result will be an out-of-band (email?) warning when a user connects from a new (unknown) device.We need to store the most recently seen DeviceInfo objects for every user, and implement anomaly detection behavior based on that. The result will be an out-of-band (email?) warning when a user connects from a new (unknown) device.https://git.autistici.org/id/auth/-/issues/2Implement U2F Challenge store2018-09-26T20:00:36ZaleImplement U2F Challenge storeThe U2F challenge store should be a short-term in-memory cache of U2F challenge objects (indexed by username), something like a replicated memcache should do it.The U2F challenge store should be a short-term in-memory cache of U2F challenge objects (indexed by username), something like a replicated memcache should do it.https://git.autistici.org/id/auth/-/issues/1Ratelimiting2018-01-22T13:14:17ZaleRatelimitingImplement rate-limiting and blacklisting of clients.Implement rate-limiting and blacklisting of clients.