[Mailman-Developers] password handling in MM3
C Nulk
CNulk at scu.edu
Mon Jul 12 19:05:03 CEST 2010
Ian Eiloart wrote:
>
> --On 9 July 2010 12:11:50 +0200 Anna Granudd <anna.granudd at gmail.com>
> wrote:
>
>> Hi,
>> when subscribing a user or creating a list in Mailman 3.0 we need to
>> implement the use of a password for security reasons. Later the same
>> password will be used for logging in to the settings pages. At the
>> moment
>> passwords are not handled at all which is why I filed bug #600780 (see
>> [1]). However, we're not sure how to handle the passwords at the moment
>> and would like your help with ideas and possible ways to implement this,
>> which is why I want to start a discussion about the password handling/
>> login function. What do we need to think of and how should this best be
>> dealt with?
>
> Most importantly, passwords must be securely hashed, so that they
> can't be
> read by the site or list admins, or by third parties.
>
> That means that password resets must be offered to users, instead of
> password reminders.
>
> Also, for sites like mine, it would be nice to have more than one
> password
> store. For example, I'd like to have users with addresses in the
> sussex.ac.uk domain authenticated against my current LDAP db, but
> non-local
> users authenticate against some other db (perhaps a different branch
> of the
> LDAP tree, but perhaps something local).
Agreed, passwords must be securely hashed. No one should be able to
reverse the hash to derive a password. I toss would also like to have
multiple authentication stores whether via LDAP or intrinsic to default
Mailman. Likewise, I would also like to have multiple membership
stores, obviously the default intrinsic Mailman member store, but also
LDAP, database, etc. Optimally, if both multiple password/member stores
are combined, when a member authenticates, the member is looked up in
the appropriate password/member store for validity whether it be LDAP, a
database, or Mailman intrinsic. Likewise, a posting to a list should
send a message to members listed in all password/member stores
associated with the list.
Thanks,
Chris
>
>> Thanks,
>> Anna
>>
>>
>> [1] https://bugs.launchpad.net/mailman/+bug/600780
>> _______________________________________________
>> Mailman-Developers mailing list
>> Mailman-Developers at python.org
>> http://mail.python.org/mailman/listinfo/mailman-developers
>> Mailman FAQ: http://wiki.list.org/x/AgA3
>> Searchable Archives:
>> http://www.mail-archive.com/mailman-developers%40python.org/
>> Unsubscribe:
>> http://mail.python.org/mailman/options/mailman-developers/iane%40sussex.a
>>
>> c.uk
>>
>> Security Policy: http://wiki.list.org/x/QIA9
>
>
>
> --
> Ian Eiloart
> IT Services, University of Sussex
> 01273-873148 x3148
> For new support requests, see http://www.sussex.ac.uk/its/help/
>
>
> _______________________________________________
> Mailman-Developers mailing list
> Mailman-Developers at python.org
> http://mail.python.org/mailman/listinfo/mailman-developers
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Searchable Archives:
> http://www.mail-archive.com/mailman-developers%40python.org/
> Unsubscribe:
> http://mail.python.org/mailman/options/mailman-developers/cnulk%40scu.edu
>
> Security Policy: http://wiki.list.org/x/QIA9
More information about the Mailman-Developers
mailing list