[Mailman-Developers] Hashing member passwords in config.pck

Jared Mauch jared at puck.nether.net
Thu Feb 10 20:42:54 CET 2005 

	(sorry for the top posting..)

	I actually the the (yes, call me a fool) passwords of some private
lists as a unified authentication system so the passwords are used
to gain access to other 'authorized' content for list members.

	of course there's issues with them being sent out in plaintext
monthly, but it does help provide unified access control to
a private list.

	Ideally i'd like some hooks such that people could register
their pgp/gpg keys and those messages could be encrypted but
i've not had time to investigate such hooks.

On Thu, Feb 10, 2005 at 01:41:09PM -0500, Bob Puff at NLE wrote:
> Private mailing list archives.  Needed for that.
> 
> Adrian Bye wrote:
> 
> >Why even bother with passwords?  They're good to include in the 
> >unsubscribe URL,
> >so that if someone maliciously gets your list, they can't unsubscribe 
> >everyone
> >manually.  But mainstream commercial autoresponders have no passwords, and 
> >they
> >work great.

	Yes, but they tend to not host closed lists.  They want people
to join their lists and increase the marketing footprint.

	If it were a per-list setting, that would be great, combined
with a mailman <-> gpg interface to load in trusted user pgp keys
or to access a local keyserver..

	this way the technical users can still have their cake and
the "just host my list" people get theirs as well.

	- jared

> >Sure, it _is_ possible that someone could cause problems, which a password
> >prevents. But in practice this rarely happens.  We're not talking the 
> >80/20 rule
> >- we're talking the 99.99/0.01 rule.
> >
> >Your average user is over burdened with passwords, and most mailing lists 
> >are
> >pretty low involvement - users don't want to have to remember another 
> >password
> >just for a mailing list.
> >
> >I've actually had some changes to my mailman install made so that users can
> >unsubscribe without a password - I'll share the code next week so you can 
> >take a
> >look at it.  We also shorted the unsubscribe URLs so it was below 60 chars,
> >ensuring that it would work more reliably and not get broken on some mail
> >clients.
> >
> >Getting rid of passwords would open up mailman to usage to a much wider 
> >range of
> >users, which should mean more development resources and interest.
> >
> >
> >>-----Original Message-----
> >>From: Bob Puff at NLE [mailto:bob at nleaudio.com] 
> >>Sent: Thursday, February 10, 2005 2:30 PM
> >>To: Barry Warsaw
> >>Cc: mailman-developers at python.org
> >>Subject: Re: [Mailman-Developers] Hashing member passwords in 
> >>config.pck
> >>
> >>I've -always- disabled the monthly reminders, so that would 
> >>be no great loss.
> >>
> >>If we convert to one-way passwords, could the upgrade script 
> >>convert the current passwords?  It would be a -big- deal if 
> >>everyone had to reset their passwords.
> >>
> >>Bob
> >>
> >>Barry Warsaw wrote:
> >>
> >>
> >>>I think CAN-2005-0202 gives us the opportunity to finally implement 
> >>>what we have long considered an embarrassing exposure in Mailman's 
> >>>config.pck databases.  Member passwords are kept in this 
> >>
> >>database in the clear.
> >>
> >>>The obvious fix is to hash member passwords and keep only 
> >>
> >>the hash in 
> >>
> >>>the database.
> >>>
> >>>We haven't changed this before now for two reasons:
> >>>
> >>>1. We would have to regenerate all member passwords, which is an 
> >>>administrative burden.  We might also need to implement 
> >>
> >>checks to see 
> >>
> >>>if the passwords were cleartext or hashed and do the password 
> >>>comparison accordingly.
> >>>
> >>>2. This breaks all password reminders.
> >>>
> >>>To fully address CAN-2005-0202 we're recommending sites regenerate 
> >>>their member passwords anyway, so this gives us an opening 
> >>
> >>to fix this 
> >>
> >>>properly.  And we have a better internal password generator now too.
> >>>
> >>>As for #2, well, I think most people hate those password reminders 
> >>>anyway, and we've decided that they are going away for MM3. 
> >>
> >>I don't 
> >>
> >>>think many people would shed too many tears if we killed 
> >>
> >>off monthly 
> >>
> >>>password reminders for 2.1.6.  Doing that would also eliminate the 
> >>>requirement for the site list, since its primary purpose is to 
> >>>function as the sender of the reminder messages.
> >>>
> >>>To do this for 2.1.6, we'd have to change the "Email My 
> >>
> >>Password To Me"
> >>
> >>>feature in the options page and in the member login page.  
> >>
> >>These would 
> >>
> >>>have to become a "create a new password for me" feature.  Also, 
> >>>crontab.in should not call mailpasswds anymore, or that 
> >>
> >>script should 
> >>
> >>>turn into a simple "here's the lists you are on" reminder, 
> >>
> >>without the 
> >>
> >>>password information in it.  This will require i18n updates too.
> >>>
> >>>The downside to doing this now is that it's more coding 
> >>
> >>work for 2.1.6 
> >>
> >>>and I'd like to get the new version out asap.  Still, this 
> >>
> >>seems like 
> >>
> >>>an opportunity that we shouldn't lightly dismiss.
> >>>
> >>>What do you all think?  Is anybody willing to take a crack 
> >>
> >>at a patch 
> >>
> >>>for this?
> >>>
> >>>-Barry
> >>>
> >>>
> >>>
> >>>
> >>
> >>----------------------------------------------------------------------
> >>
> >>>--
> >>>
> >>>_______________________________________________
> >>>Mailman-Developers mailing list
> >>>Mailman-Developers at python.org
> >>>http://mail.python.org/mailman/listinfo/mailman-developers
> >>>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> >>>Searchable Archives: 
> >>>http://www.mail-archive.com/mailman-users%40python.org/
> >>>Unsubscribe: 
> >>>
> >>
> >>http://mail.python.org/mailman/options/mailman-developers/bob%40nleaud
> >>
> >>>io.com
> >>
> >>_______________________________________________
> >>Mailman-Developers mailing list
> >>Mailman-Developers at python.org
> >>http://mail.python.org/mailman/listinfo/mailman-developers
> >>Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> >>Searchable Archives: 
> >>http://www.mail-archive.com/mailman-users%40python.org/
> >>Unsubscribe: 
> >>http://mail.python.org/mailman/options/mailman-developers/adri
> >>an%40tasdevil.com
> >>
> >>
> >
> >
> >_______________________________________________
> >Mailman-Developers mailing list
> >Mailman-Developers at python.org
> >http://mail.python.org/mailman/listinfo/mailman-developers
> >Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> >Searchable Archives: 
> >http://www.mail-archive.com/mailman-users%40python.org/
> >Unsubscribe: 
> >http://mail.python.org/mailman/options/mailman-developers/bob%40nleaudio.com
> >
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> http://mail.python.org/mailman/options/mailman-developers/jared%40puck.nether.net

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the Mailman-Developers mailing list