auth issueshttps://git.autistici.org/id/auth/-/issues2023-06-07T09:51:57Zhttps://git.autistici.org/id/auth/-/issues/19Record last login data for individual credentials2023-06-07T09:51:57ZaleRecord last login data for individual credentialsIt's useful for users to see last login information for each secondary credential separately (e.g. ASPs, hardware tokens, etc). This requires introducing some sort of credential identity descriptor structure, and pass that to user-meta-s...It's useful for users to see last login information for each secondary credential separately (e.g. ASPs, hardware tokens, etc). This requires introducing some sort of credential identity descriptor structure, and pass that to user-meta-server for logging.https://git.autistici.org/id/auth/-/issues/18Replace built-in ratelimit code with golang.org/x/time/rate2022-04-04T14:57:05ZaleReplace built-in ratelimit code with golang.org/x/time/rateIt does support reservations a.k.a. conditional increment, which is required to implement "login failed" rate limiting.It does support reservations a.k.a. conditional increment, which is required to implement "login failed" rate limiting.https://git.autistici.org/id/auth/-/issues/17Late initialization for the sql backend2022-03-09T10:39:12ZaleLate initialization for the sql backendThe *sql* backend tries to open a connection to the database at initialization time, so if the db is unavailable the process will immediately exit. This might not be desirable when there are multiple backends, and it is in fact not how t...The *sql* backend tries to open a connection to the database at initialization time, so if the db is unavailable the process will immediately exit. This might not be desirable when there are multiple backends, and it is in fact not how the *ldap* backend (which does a connection per request, so implicitly implements delayed init) works.https://git.autistici.org/id/auth/-/issues/16Provide defaults for webauthn configuration2022-02-05T15:41:23ZaleProvide defaults for webauthn configurationRight now if you start the server out of the Debian package it'll fail:
> Configuration error: Missing RPDisplayName
(or RPID, etc.). It would be better to give some defaults to the webauthn parameters, which might not result in correc...Right now if you start the server out of the Debian package it'll fail:
> Configuration error: Missing RPDisplayName
(or RPID, etc.). It would be better to give some defaults to the webauthn parameters, which might not result in correct WebAuthN operation, but at least would allow the daemon to start.https://git.autistici.org/id/auth/-/issues/15Per-backend group membership overrides create too many identical group member...2021-12-06T21:23:46ZalePer-backend group membership overrides create too many identical group membershipsas seen in, e.g.:
> authentication request: user=admin,password,webauthn,device=e771b -> status=ok,groups=[admins,admins,admins,admins]as seen in, e.g.:
> authentication request: user=admin,password,webauthn,device=e771b -> status=ok,groups=[admins,admins,admins,admins]https://git.autistici.org/id/auth/-/issues/14Export authentication method in logs and metrics2021-12-06T14:35:50ZaleExport authentication method in logs and metricsMethod is one of "password", "otp", "webauthn" etc. etc.Method is one of "password", "otp", "webauthn" etc. etc.https://git.autistici.org/id/auth/-/issues/13Dependency Dashboard2024-03-26T15:33:11ZrenovateDependency DashboardThis issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Repository problems
Renovate tried to run on this repository, but...This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Repository problems
Renovate tried to run on this repository, but found these problems.
- WARN: Package lookup failures
---
> ⚠ **Warning**
>
> Renovate failed to look up the following dependencies: `Could not determine new digest for update (go package github.com/patrickmn/go-cache)`.
>
> Files affected: `go.mod`
---
## Open
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
- [ ] <!-- rebase-branch=renovate/github.com-bradfitz-gomemcache-digest -->[Update github.com/bradfitz/gomemcache digest to 24af94b](!113)
- [ ] <!-- rebase-branch=renovate/github.com-duo-labs-webauthn-digest -->[Update github.com/duo-labs/webauthn digest to ebaf9b7](!108)
- [ ] <!-- rebase-branch=renovate/github.com-go-ldap-ldap-v3-3.x -->[Update module github.com/go-ldap/ldap/v3 to v3.4.6](!112)
- [ ] <!-- rebase-branch=renovate/github.com-mattn-go-sqlite3-1.x -->[Update module github.com/mattn/go-sqlite3 to v1.14.22](!111)
- [ ] <!-- rebase-branch=renovate/github.com-cenkalti-backoff-v4-4.x -->[Update module github.com/cenkalti/backoff/v4 to v4.3.0](!100)
- [ ] <!-- rebase-branch=renovate/github.com-go-sql-driver-mysql-1.x -->[Update module github.com/go-sql-driver/mysql to v1.8.1](!119)
- [ ] <!-- rebase-branch=renovate/github.com-google-go-cmp-0.x -->[Update module github.com/google/go-cmp to v0.6.0](!118)
- [ ] <!-- rebase-branch=renovate/github.com-prometheus-client_golang-1.x -->[Update module github.com/prometheus/client_golang to v1.19.0](!64)
- [ ] <!-- rebase-branch=renovate/golang.org-x-sync-0.x -->[Update module golang.org/x/sync to v0.6.0](!117)
- [ ] <!-- rebase-branch=renovate/opentelemetry-go-monorepo -->[Update opentelemetry-go monorepo to v1.24.0](!95) (`go.opentelemetry.io/otel`, `go.opentelemetry.io/otel/trace`)
- [ ] <!-- rebase-all-open-prs -->**Click on this checkbox to rebase all open MRs at once**
## Detected dependencies
<details><summary>gomod</summary>
<blockquote>
<details><summary>go.mod</summary>
- `go 1.14`
- `git.autistici.org/ai3/go-common v0.0.0-20230816213645-b3aa3fb514d6@b3aa3fb514d6`
- `git.autistici.org/id/usermetadb v0.0.0-20230817075814-ec109f54aa90@ec109f54aa90`
- `github.com/bradfitz/gomemcache v0.0.0-20230124162541-5f7a7d875746@5f7a7d875746`
- `github.com/cenkalti/backoff/v4 v4.1.3`
- `github.com/coreos/go-systemd/v22 v22.5.0`
- `github.com/duo-labs/webauthn v0.0.0-20220330035159-03696f3d4499@03696f3d4499`
- `github.com/go-ldap/ldap/v3 v3.4.4`
- `github.com/go-sql-driver/mysql v1.7.1`
- `github.com/google/go-cmp v0.5.9`
- `github.com/lib/pq v1.10.9`
- `github.com/mattn/go-sqlite3 v1.14.16`
- `github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627@5633e0862627`
- `github.com/pquerna/otp v1.4.0`
- `github.com/prometheus/client_golang v1.12.2`
- `github.com/theckman/go-flock v0.8.1`
- `go.opentelemetry.io/otel v1.10.0`
- `go.opentelemetry.io/otel/trace v1.10.0`
- `golang.org/x/sync v0.3.0`
- `gopkg.in/yaml.v3 v3.0.1`
</details>
</blockquote>
</details>https://git.autistici.org/id/auth/-/issues/12WebAuthN support2021-12-06T19:57:53ZaleWebAuthN supportThe current U2F implementation will eventually become obsolete, we need to support WebAuthN/FIDO/etc. Unfortunately this requires finding another library to deal with the primitives other than github.com/tstranex/u2f, and it will have to...The current U2F implementation will eventually become obsolete, we need to support WebAuthN/FIDO/etc. Unfortunately this requires finding another library to deal with the primitives other than github.com/tstranex/u2f, and it will have to support **both** U2F and WebAuthN.
This issue tracks implementation across all the components of the stack:
* [x] ai3/go-common for the U2FRegistration type (ai3/go-common!32)
* [x] id/auth for the server-side login workflow (id/auth!34)
* [x] id/sso-server for the client-side login workflow (id/sso-server!8)
* [x] ai3/pannello for the registration workflow (ai3/pannello!51)
* [x] ai3/accountserver (ai3/accountserver!42)https://git.autistici.org/id/auth/-/issues/11Incompatibility with pamu2fcfg output2021-12-06T13:55:45ZaleIncompatibility with pamu2fcfg outputThe latest versions of pamu2fcfg (surely version 1.1.0) not only produce base64-encoded output, but the public_key field is now 64 bytes instead of 65.The latest versions of pamu2fcfg (surely version 1.1.0) not only produce base64-encoded output, but the public_key field is now 64 bytes instead of 65.https://git.autistici.org/id/auth/-/issues/10acmeserver force cert regeneration at runtime2019-06-09T15:36:50Zgodogacmeserver force cert regeneration at runtimewhile acmeserver is running it'd be nice to have a way to force trying to renew a certificatewhile acmeserver is running it'd be nice to have a way to force trying to renew a certificatehttps://git.autistici.org/id/auth/-/issues/9TCP socket support2021-01-14T15:18:19ZaleTCP socket supportUsing UNIX sockets solves nicely the access control issue, but it limits the deployment strategies (can't do remote fallback, for one), and it is mostly useless in a container context (it will lead to deploying the auth-server as a *side...Using UNIX sockets solves nicely the access control issue, but it limits the deployment strategies (can't do remote fallback, for one), and it is mostly useless in a container context (it will lead to deploying the auth-server as a *sidecar*).
It would be nice to offer TCP support (with TLS for client authentication). This would be easy on the server side, whether we let systemd manage the socket or run standalone, but most of the work would be on the client side (so mostly the C PAM module), requiring target selection and some sort of load balancing strategy: there isn't much point in supporting TCP connections unless we also support multiple targets and fallbacks.https://git.autistici.org/id/auth/-/issues/8Replace the socket protocol with something better2019-04-03T05:01:45ZaleReplace the socket protocol with something betterThe custom on-the-wire protocol used by the auth-server is silly, it would probably be best to switch to something more standard.
The reason for the current choice comes from the necessity to have a simple and lightweight C implementati...The custom on-the-wire protocol used by the auth-server is silly, it would probably be best to switch to something more standard.
The reason for the current choice comes from the necessity to have a simple and lightweight C implementation (for the PAM module), but there are self-contained simple libraries for things like JSON that would make it possible to use standard formats. Furthermore, if we are to add TCP support (presumably requiring SSL), we're going to end up writing a lot of code that would be best handled by a third-party library.
HTTP is very verbose for this purpose, and fits badly with UNIX socket connections, so it makes sense to stick with the line-based protocol.https://git.autistici.org/id/auth/-/issues/7Improve storage of U2F registrations2019-03-21T22:49:00ZaleImprove storage of U2F registrationsIf I understand correctly how this works:
* we currently store the entire serialized U2F registration in the database, this includes the key handle, the public key, and the attestation certificate
* the attestation cert is only used at ...If I understand correctly how this works:
* we currently store the entire serialized U2F registration in the database, this includes the key handle, the public key, and the attestation certificate
* the attestation cert is only used at registration time, but not for validation, so we may not need to store it
* unfortunately the Go library we use to manipulate registrations can only deserialize the full U2F registration (via its Unmarshal method)
what we could do to improve the situation:
* [x] define our own format for storing U2F registrations in the database with just key handle and public key (as we did for app-specific passwords)
* [x] write our own code (likely in ai3/go-common) to deserialize it into an u2f.Registration
* [x] ensure the Python code for U2F registration in ai3/pannello is updated toohttps://git.autistici.org/id/auth/-/issues/6Modular configuration2019-02-09T07:19:50ZaleModular configurationThe configuration subsystem should be redesigned to let the configuration be split into multiple files. This would allow drop-in configuration of backends and services: Ansible roles can simply drop in their service config into the right...The configuration subsystem should be redesigned to let the configuration be split into multiple files. This would allow drop-in configuration of backends and services: Ansible roles can simply drop in their service config into the right place.https://git.autistici.org/id/auth/-/issues/5Implement last login logging2019-02-10T10:50:29ZaleImplement last login loggingIt would be nice to have a fast mechanism to store last login timestamps, either write it directly to the database or go through some proxying service (to reduce write load on the db, last login timestamps only need to be eventually cons...It would be nice to have a fast mechanism to store last login timestamps, either write it directly to the database or go through some proxying service (to reduce write load on the db, last login timestamps only need to be eventually consistent).shammashshammashhttps://git.autistici.org/id/auth/-/issues/4Add replay protection to TOTP tokens2018-10-19T18:24:35ZaleAdd replay protection to TOTP tokensRequired for a serious otp implementation.Required for a serious otp implementation.https://git.autistici.org/id/auth/-/issues/3Implement device info database and anomaly detection2019-02-09T07:21:50ZaleImplement device info database and anomaly detectionWe need to store the most recently seen DeviceInfo objects for every user, and implement anomaly detection behavior based on that. The result will be an out-of-band (email?) warning when a user connects from a new (unknown) device.We need to store the most recently seen DeviceInfo objects for every user, and implement anomaly detection behavior based on that. The result will be an out-of-band (email?) warning when a user connects from a new (unknown) device.https://git.autistici.org/id/auth/-/issues/2Implement U2F Challenge store2018-09-26T20:00:36ZaleImplement U2F Challenge storeThe U2F challenge store should be a short-term in-memory cache of U2F challenge objects (indexed by username), something like a replicated memcache should do it.The U2F challenge store should be a short-term in-memory cache of U2F challenge objects (indexed by username), something like a replicated memcache should do it.https://git.autistici.org/id/auth/-/issues/1Ratelimiting2018-01-22T13:14:17ZaleRatelimitingImplement rate-limiting and blacklisting of clients.Implement rate-limiting and blacklisting of clients.