Though we have the acl genpass [bits] command to aid in generation of strong passwords, it would be useful for security administrator to create login only with an initial password - at next login, would be forced to change that by requisite team member.
This will ensure that security administrators aren't aware of any passwords which they need not know for maintaining better separation of duties.
Thank you.
Comment From: itamarhaber
Hi @nadirdbit
Thanks for taking the time and making this request. I feel this is somewhat outside the scope of Redis' security, given that users are applicative and the fact that a nefarious security admin can probably wreak havoc regardless of their knowledge of a user's password.
Comment From: yossigo
@itamarhaber I agree, requiring password change on next login is typical on systems that mainly serve user sessions.
Also, such mechanism can be implemented as a module and does not require to be part of the Redis core.
Comment From: nadirdbit
Hi Itamar/Yossi/Team,
A security administrator should never know any user's "usable" password - clearly a separation of duties violation.
Since only failures are recorded in the acl.log, then tracking ip addresses to ensure no misuse by other privileged/superusers is also quite an effort.
If implemented within a separate module, then that may require additional install which will be troublesome for Redis licensed users.
Thank you.
Nadir
On Wed, Aug 26, 2020 at 10:50 AM Yossi Gottlieb notifications@github.com wrote:
@itamarhaber https://github.com/itamarhaber I agree, requiring password change on next login is typical on systems that mainly serve user sessions.
Also, such mechanism can be implemented as a module and does not require to be part of the Redis core.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/redis/redis/issues/7710#issuecomment-680964969, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP5GFC7LA2RSF4YGREKDJILSCUVM3ANCNFSM4QLHIF7A .
Comment From: yossigo
Hi @nadirdbit, of course I agree with the first statement but my point is that in most cases user passwords in Redis resemble application secrets/tokens more than user passwords. They are generated/configured in Redis, set up in the application and not handled again until rotated.
I think our challenge here is to allow this kind of functionality to be more accessible as a module (i.e. not require complex additional installations, etc.).
Comment From: nadirdbit
Hi Yossi/Itamar/All,
Concur that it isn't too easy but implementing this feature will prove immensely useful to the Redis community.
Thank you.
Nadir
On Wed, Aug 26, 2020 at 2:38 PM Yossi Gottlieb notifications@github.com wrote:
Hi @nadirdbit https://github.com/nadirdbit, of course I agree with the first statement but my point is that in most cases user passwords in Redis resemble application secrets/tokens more than user passwords. They are generated/configured in Redis, set up in the application and not handled again until rotated.
I think our challenge here is to allow this kind of functionality to be more accessible as a module (i.e. not require complex additional installations, etc.).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/redis/redis/issues/7710#issuecomment-681083287, or unsubscribe https://github.com/notifications/unsubscribe-auth/AP5GFCY4UU4QGQ2RTMQTMZDSCVQDJANCNFSM4QLHIF7A .
Comment From: itamarhaber
While the motivation - security-wise - is clear, I think having applications (or client libraries) deal with a server request to change password is far from trivial and definitely non-standard. The pattern suggested is very applicable to accounts used by humans, but less for tokens imo.
I suggest we keep this issue open for a while to let the rest of the community opine.
Comment From: madolson
I strongly don't think we should do this.