-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Blind) Trusting user names for authentication #4960
Comments
…voip#3523), Username Client Certificate CN Equality (mumble-voip#4940), Blind Trust (mumble-voip#4960)
The question that I pose myself here is: Given that it can be dangerous to enable this option, why would you want to have it in the first place? Aka: What is the actual advantage? Less overhead during registration? Also I always was under the impression that a certificate check was all that was required to authenticate on most servers anyways. Is this then specifically for servers that have passwords in addition to certificate checks? 🤔 |
Maybe things get clearer if I just explain our overall usecase 😅 :
I hope it got clearer now :) |
From what I have read and understood, this seems a fitting candidate for an Ice authenticator. This authorization scheme is very specific and special, and you formulated necessary warnings on related settings which have to taken into account to safely use them. So this seems error prone and complicated. Both in program logic we would have to add, as well as for users. I don’t really see what you see as the problem with using an authenticator. You definitely can configure and apply ACL rules just like normal. I’ve been using a password DB backed authenticator on a server with ACL groups and member accounts in those groups for a long time. Users authenticate to an account, and the account is accessible in ACL. The wiki link you provide does not talk about temporary data. Maybe you are talking about specific authenticator scripts that are linked from there? As there is a mumble user DB and authenticator backed user DB to authenticate against, IIRC the user DB IDs receive IDs in a much higher range to not cause conflicts in the smf script. But that does not influence the username based ACL handling. For reference, here is the Ice authenticate function |
In your example you could say the certificates themselves are the backing DB. Your authenticator would not have a backing DB to check against, but check the CA validity, and then accept the authentication with the username in the certificate. If I understand correctly. |
To clarify to be technically correct from the top of my head I’m not actually sure about the username basis of ACLs. But either way from experience it works with authenticator authenticated users too. |
The core functionality you are after is already requested in #2107. I think the proper way to implement this would be to add real support for having multiple certs per user instead of adding a workaround to skip the cert-hash check. |
Hm #2107 is close, but not the exact same thing: The issue describes that a user should be able to multi-log (online with multiple devices the same time), we actually prefer the way it is currently (that the "old" user is disconnected). But such details could be solved with an other configuration variable I guess 😬. Unfortunaly, adding a real "multi certificate infrastructure" is currently out-of-scope for me 🙈.
It's good to hear that users authenticated by an external system can be targeted by ACLs, I think I misunderstood that in the wiki. While I agree with you that it might be error porn in a way a admin could missconfigure the option (thus that much warnings), I tend to disagree that it would introduce problems from the program logic:
To be totaly honest, it is much more of a hassle for me to learn how to use the Ice authenticator and get it working than adding this three lines of code... Oh and btw: #2107 also mentions certificate revocations, what is a desirable thing. Unfortunaly, it is currently not possible to add CRLs (certificate revocation lists) to a server. The problem here is that Qt doesn't allow adding a crl to a |
While I can see how you would benefit from this feature being implemented in Mumble directly, I don't think that this is something that a lot of other users will benefit from as well. Even the contrary might be the case if one deals with server admins that recklessly enable this option without properly understanding the consequences. For these reasons I would vote to close this request as out-of-scope for Mumble (at least in the approach described here). |
As I wrote above I agree with that reasoning. Very niche functionality, with potential confusion/accidental misuse. At the same time it has a good Ice authenticator alternative that can be used. |
Alright then for the reasons stated above, I will close this issue. |
Murmurs current authentication system either uses a password or a certificate hash to authenticate a user with the backend. If murmur trusts a certificate, because it was issued from a certificate authority that itself trusts (what will be possibly with the MCTS, see #3523) AND if murmur can guarantee that a user is who he is (what will be possibly with "forceUsernameCertSubjectEquality", see #4940), murmur can authenticate that user purly based on the username.
I want to introduce a new
murmur.ini
option:We could achive this by altering the authenticate method in
ServerDB.cpp
slightly, I think of something like this (for line 1321):Why don't just use an external authentication system? The system could return the userid based on the certificate and we would not alter murmur.
BUT user authenticated using an external system are (as of my understanding from this wiki text) members of a temporary group and thus not differentiable when it comes to ACLs. Secondly, using an external authentication system will introduce unnecessary overhead to the system.
The text was updated successfully, but these errors were encountered: