Menu
▾
▴
webadmin-devel
|
From: Emmanuel S. <esa...@us...> - 2004-10-17 15:03:43
|
hi jamie, could it be possible to have a simple password field for modules configuration section (other than 12, which is sometime confusing for the user). "simple", that means: only a <input type="password" name="var" value="">, and nothing else (no radios for exemple :-) ). is this type already exist (I did not see it)? thanks, bye |
|
From: Martin M. <mm...@me...> - 2004-10-17 15:24:49
|
Hi Emmanuel, hi Jamie Emmanuel Saracco wrote: > "simple", that means: only a <input type="password" name="var" > value="">, and nothing else (no radios for exemple :-) ). This problem comes up in the module configurationof the current wbmtranslator as it is able to use smtp-auth to a remote system. The current "12" shows something like this ... [ ] no change [ ] set to ___________________ which is really confusing, because it does not make sense i this particular section. What wbmtranslator needs is just something like SMTP-Password: ____________________ or to be just able to read the settings from the "Read Mail"-Module. Jamie, can you please point us into the direction for the inclusion of the "Read Mail"-Module? This would make things easier I think. bis dahin - kind regards Martin Mewes -- ###################################################################### http://www.webmin.com/ | Webbased Administration Tool for http://webmin.mamemu.de/| Unixoid Systems :-) Official Webmin/Usermin Translation Co-Ordinator 2003/2004 ###################################################################### |
|
From: <ra...@si...> - 2004-10-17 20:31:33
|
On Sun, 17 Oct 2004, Martin Mewes wrote: > Hi Emmanuel, hi Jamie > > Emmanuel Saracco wrote: > > > "simple", that means: only a <input type="password" name="var" > > value="">, and nothing else (no radios for exemple :-) ). > > This problem comes up in the module configurationof the current > wbmtranslator as it is able to use smtp-auth to a remote system. > > The current "12" shows something like this ... > > [ ] no change [ ] set to ___________________ > > which is really confusing, because it does not make sense i this > particular section. > > What wbmtranslator needs is just something like > > SMTP-Password: ____________________ > > or to be just able to read the settings from the "Read Mail"-Module. > > Jamie, can you please point us into the direction for the inclusion of > the "Read Mail"-Module? This would make things easier I think. > > > bis dahin - kind regards > > Martin Mewes > No, I think that it still makes sense because of the reasons I outlined in my previous post. The password that might be used in "Module Configuration" is saved in the current module's configuration space so it can be used when the module is run. The module still needs to know that the user intended to change the password. If the password is only relevant in this current session, then it might be more practical to have a way for the user to enter a password upon entering the module, or build it into the ACL list so it can be different for each user. Or even thinking about this some while writting this message, would be a password setting that can be different for each webmin user, and would be changed based on the $remote_user value when the module configuration is called (this might be the better feature request - and something that I have thought about for the MySQL module for a while, maybe I can prototype this feature for this module). ---- Randy |
|
From: Jamie C. <jca...@we...> - 2004-10-18 00:24:02
|
On Mon, 2004-10-18 at 01:24, Martin Mewes wrote:
> Hi Emmanuel, hi Jamie
>
> Emmanuel Saracco wrote:
>
> > "simple", that means: only a <input type="password" name="var"
> > value="">, and nothing else (no radios for exemple :-) ).
>
> This problem comes up in the module configurationof the current
> wbmtranslator as it is able to use smtp-auth to a remote system.
>
> The current "12" shows something like this ...
>
> [ ] no change [ ] set to ___________________
>
> which is really confusing, because it does not make sense i this
> particular section.
>
> What wbmtranslator needs is just something like
>
> SMTP-Password: ____________________
>
> or to be just able to read the settings from the "Read Mail"-Module.
>
> Jamie, can you please point us into the direction for the inclusion of
> the "Read Mail"-Module? This would make things easier I think.
The best way for another module to send email is to use code like this :
&foreign_require("mailboxes", "mailboxes-lib.pl");
$mail = { 'headers' => [ [ 'From', 'fo...@ba...' ],
[ 'To', $destination ],
[ 'Subject', 'Your subject here' ]
],
'attach' => [ { 'headers' => [ [ 'Content-type', 'text/html' ]
],
'data' => 'Message body here' } ]
};
&mailboxes::send_mail($mail);
This will make use of the Read User Mail module's configuration for
sending, including any SMTP server or authentication set on its Module
Config page.
- Jamie
|
|
From: <ra...@si...> - 2004-10-17 20:19:28
|
On Sun, 17 Oct 2004, Emmanuel Saracco wrote:
> hi jamie,
>
> could it be possible to have a simple password field for modules
> configuration section (other than 12, which is sometime confusing for
> the user).
>
> "simple", that means: only a <input type="password" name="var"
> value="">, and nothing else (no radios for exemple :-) ).
>
> is this type already exist (I did not see it)?
>
> thanks,
>
> bye
>
If I am reading this correctly (and let me know if this is wrong), that
the request is that there be a line in the config.info like:
pass=Password,<some_number_that_is_not_12>
that will generate a line in the module's configuration page like:
Password [ <blank text> ]
instead of (if the number 12 is used above):
Password [X] Don't Change [ ] Set to [ <blank text> ]
Besides the potential security issues, it makes it extremely difficult
to differentiate between the following:
I didn't want to change the password
I didn't want to change the password, but typed something there
accidentally
I intended to change the password to the NULL string
I intended to change the password to this new value
I didn't want to change the password, but was unsure and typed
the original password which might reset the expiration date
I wanted to update the expiration date, but not change the
password, so I entered the same password
With the radio buttons, it comes down to a simple case of:
I didn't want to change the password, so ignore anything in the
password box.
or
I intended to change the password, so use whatever is in the
password box, even if it is NULL or the same as the previous
password.
The best answer is to understand the confusion, and change the way this
line is displayed so that is is not confusing. So given that it is
important to know if the user intended to change/set a password, what
wording or display organization do you think would make it less confusing,
or (hopefully) totally undestandable?
Cheers!
---- Randy
|
|
From: Emmanuel S. <esa...@us...> - 2004-10-18 10:51:04
|
Le dim 17/10/2004 à 22:17, ra...@si... a écrit : hi, [...] > Besides the potential security issues, it makes it extremely difficult > to differentiate between the following: is it really more unsecure than type 3 (the type used by mailboxes to manage auth password)? type 3 should be ok for me if at least it used a "password" HTML type. I know that any user can always view HTML source and get the password, but it will be not displayed on the interface (so at least protected from other eyes). am I wrong? -> this was a user's feature request for my module (wbmtranslator) and I didn't know how to answer it without using the (in this case) confusing type 12. @jamie: I think I will use type 3 (even if it never hide password). so no need for new type 16. [...] thanks, bye |
|
From: Jamie C. <jca...@we...> - 2004-10-18 00:20:09
|
On Mon, 2004-10-18 at 01:03, Emmanuel Saracco wrote: > hi jamie, > > could it be possible to have a simple password field for modules > configuration section (other than 12, which is sometime confusing for > the user). > > "simple", that means: only a <input type="password" name="var" > value="">, and nothing else (no radios for exemple :-) ). > > is this type already exist (I did not see it)? I can't see any harm in a new config type 16 being added which just displays a password field, with no 'dont change' option. However, I would recommend the use of type 12 in general for password fields, as it is a little more secure as the current password is not included in the HTML.. - Jamie |
|
From: <ra...@si...> - 2004-10-18 02:44:28
|
On Sun, 18 Oct 2004, Jamie Cameron wrote: > On Mon, 2004-10-18 at 01:03, Emmanuel Saracco wrote: > > hi jamie, > > > > could it be possible to have a simple password field for modules > > configuration section (other than 12, which is sometime confusing for > > the user). > > > > "simple", that means: only a <input type="password" name="var" > > value="">, and nothing else (no radios for exemple :-) ). > > > > is this type already exist (I did not see it)? > > I can't see any harm in a new config type 16 being added which just > displays a password field, with no 'dont change' option. However, I > would recommend the use of type 12 in general for password fields, as it > is a little more secure as the current password is not included in the > HTML.. > > - Jamie > I know that this is mostly just my opinion, but would think that a prime reason would be how would the module know that the password has been changed legitimately, and not ignored and inadvertantly left blank. And a significant second would be that if it was passed as part of the configuration, then it isn't very secure as it would be part of the form, and then easily seen (just display the source). As much as it seems like there is value, I personally think that it would be a better solution to identify what is confusing, and make it no longer confusing. BTW, I am trying to understand why, as a configuration option, the current mechanism isn't suitable, as the configuration isn't intended to be called on each invocation of the module? However, if there is a new type, I would also like to request that this be identified as an insecure type, and allow the core to disallow any insecure types, or turn them into a (more) secure type (i.e. change a 16 into a 12). ---- Randy |
|
From: Jamie C. <jca...@we...> - 2004-10-18 05:17:37
|
On Mon, 2004-10-18 at 12:42, ra...@si... wrote: > On Sun, 18 Oct 2004, Jamie Cameron wrote: > > > On Mon, 2004-10-18 at 01:03, Emmanuel Saracco wrote: > > > hi jamie, > > > > > > could it be possible to have a simple password field for modules > > > configuration section (other than 12, which is sometime confusing for > > > the user). > > > > > > "simple", that means: only a <input type="password" name="var" > > > value="">, and nothing else (no radios for exemple :-) ). > > > > > > is this type already exist (I did not see it)? > > > > I can't see any harm in a new config type 16 being added which just > > displays a password field, with no 'dont change' option. However, I > > would recommend the use of type 12 in general for password fields, as it > > is a little more secure as the current password is not included in the > > HTML.. > > > > - Jamie > > > > I know that this is mostly just my opinion, but would think that a prime > reason would be how would the module know that the password has been > changed legitimately, and not ignored and inadvertantly left blank. And a > significant second would be that if it was passed as part of the > configuration, then it isn't very secure as it would be part of the form, > and then easily seen (just display the source). > > As much as it seems like there is value, I personally think that it > would be a better solution to identify what is confusing, and make it no > longer confusing. BTW, I am trying to understand why, as a configuration > option, the current mechanism isn't suitable, as the configuration isn't > intended to be called on each invocation of the module? You'll have to ask the module author who requested this feature about this one :-) However, none of the core Webmin modules will use this new type, for the reasons you mentioned .. > However, if there is a new type, I would also like to request that this > be identified as an insecure type, and allow the core to disallow any > insecure types, or turn them into a (more) secure type (i.e. change a 16 > into a 12). I will add support for a hidden option in /etc/webmin/config called config_16_insecure , which if set to 1 will convert all type 16 inputs into type 12. - Jamie |
|
From: <ra...@si...> - 2004-10-18 06:19:09
|
> > BTW, I am trying to understand why, as a configuration > > option, the current mechanism isn't suitable, as the configuration isn't > > intended to be called on each invocation of the module? > > You'll have to ask the module author who requested this feature about > this one :-) However, none of the core Webmin modules will use this new > type, for the reasons you mentioned .. > I was hoping to get a response on this from the module author(s), but to make things clean, this is an official request. Given the interesting programatic and security issues with this feature, as well as previous posts on the subject, why cannot the current mechanism be used, and if it is just because the form is confusing, what would make the form clear? I would hate to have an insecure feature implemented when all that was needed was better language or structure. Cheers! ---- Randy |
|
From: Martin M. <mm...@me...> - 2004-10-18 06:51:53
|
Hi, Jamie Cameron wrote: > You'll have to ask the module author who requested this feature about > this one :-) However, none of the core Webmin modules will use this new > type, for the reasons you mentioned .. On behalf of the module writer (wbmtranslator): There is a new module configuration possible to send out eMails to tra...@we... using smtp-auth. If we would use type 12 the configuration would look like smtp-password: [ ] Leave as is [ ] this one _____________ This would be confusing in this area, because the translator may did not know what "leave as is" means. If we would use the "Read Mail" functionality it would definetely make more sense, because we could tell it to the customer: ###################################################################### Use ReadMail-Module-Settings for sending eMails [X] Yes, default [ ] No smtp-login : ________________ smtp-password: [ ] Leave as is [ ] this one _____________ This has been extracted from the currently installed Read-Mail-Module. If you change the password here, the smtp-password would be changed for the Read-Mail-Module as well. If you do not want to use the Settings of the Read-Mail-Module, please deselect it in this module configuration, save this setting once. Then come back here and type in your settings which would only be suitable for this particular area. [Setting to No] - [Save] - [Coming back] Use ReadMail-Module-Settings for sending eMails [ ] Yes, default [X] No smtp-login : ________________ smtp-password: ________________ Please indicate a smtp-login and -password for this particular area. ###################################################################### Of course this is a design study only :-) bis dahin - kind regards Martin Mewes -- ###################################################################### http://www.webmin.com/ | Webbased Administration Tool for http://webmin.mamemu.de/| Unixoid Systems :-) Official Webmin/Usermin Translation Co-Ordinator 2003/2004 ###################################################################### |
|
From: Emmanuel S. <esa...@us...> - 2004-10-18 09:43:45
|
Le dim 17/10/2004 à 17:03, Emmanuel Saracco a écrit : hi, > could it be possible to have a simple password field for modules > configuration section (other than 12, which is sometime confusing for > the user). thanks to all for your answers and technical informations. I think I will follow martin's advices and let the user choose between using mailboxes configuration or specify new login/password (using futur type 16 to display corresponding HTML field). [...] thanks, bye |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X