Moodle

All users locked out with latest 1.9.7 security update

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Not a bug
  • Affects Version/s: 1.9.6
  • Fix Version/s: None
  • Component/s: Authentication
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE

Description

Our school uses IMAP authentication. After applying the latest 1.9.7 security patch which prevents caching of passwords, all of our users were locked out.

Among the notices for IMAP users was Notice: Unknown: Certificate failure for 172.16.20.76: unable to get local issuer certificate: /DC=org/DC=seattleacademy/CN=seattleacademy-ALPHA-CA (errflg=2) in Unknown on line 0

Even the admin was not able to log in, and that account is not IMAP.

Even though I will be able to hack around this issue, things are moving very quickly on these security issues and I would advise caution in making sure everything works on production site. Fortunately, this problem is only on our test servers so far.

--Gary

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

very strange
1/ the imap auth plugin does not access password in user table at all
2/ local admin accounts are forced to change passowrd, nothing else should change there
3/ the IMAP notice is something very new for me

Could you give me some more hints what might be going wrong? I can not see any reason for this.

Show
Petr Škoda (skodak) added a comment - very strange 1/ the imap auth plugin does not access password in user table at all 2/ local admin accounts are forced to change passowrd, nothing else should change there 3/ the IMAP notice is something very new for me Could you give me some more hints what might be going wrong? I can not see any reason for this.
Hide
Permalink
Petr Škoda (skodak) added a comment -

1/ tested it on my local server+gmail imap
2/ retested, works for me
3/ I saw the same notice when I used imapssl - there was a problem with certificate; when used imapcert option (do not ask me why is it called like this) the cert check is skipped and everything works

Show
Petr Škoda (skodak) added a comment - 1/ tested it on my local server+gmail imap 2/ retested, works for me 3/ I saw the same notice when I used imapssl - there was a problem with certificate; when used imapcert option (do not ask me why is it called like this) the cert check is skipped and everything works
Hide
Permalink
Gary Anderson added a comment -

I am going to close this as I think the problem is on our end – the error seems to be displaying a message from our IMAP server that was not evident before this update. Also, on our end we check the MD5 hash for a match before checking IMAP (it speeds things up and does not make Moodle dependent on the email server being up). That, of course, is not a core issue.

I suspect that I simply forgot the new password for the admin account. Since our development servers don't email, I fixed it and documented the method here: http://docs.moodle.org/en/Talk:Password_policy

A suggestion: forcing the admins to change their passwords, rather than simply suggesting a change and reporting password strength, is a mistake in my view. The will simply write down passwords they can't remember (raising a different security issue) or they may lock themselves out.

Also, keeping the MD5 hash could be useful as a backup for when the authentication server is down, although I also understand the reasoning for not wanting it in the database.

Show
Gary Anderson added a comment - I am going to close this as I think the problem is on our end – the error seems to be displaying a message from our IMAP server that was not evident before this update. Also, on our end we check the MD5 hash for a match before checking IMAP (it speeds things up and does not make Moodle dependent on the email server being up). That, of course, is not a core issue. I suspect that I simply forgot the new password for the admin account. Since our development servers don't email, I fixed it and documented the method here: http://docs.moodle.org/en/Talk:Password_policy A suggestion: forcing the admins to change their passwords, rather than simply suggesting a change and reporting password strength, is a mistake in my view. The will simply write down passwords they can't remember (raising a different security issue) or they may lock themselves out. Also, keeping the MD5 hash could be useful as a backup for when the authentication server is down, although I also understand the reasoning for not wanting it in the database.
Hide
Permalink
Petr Škoda (skodak) added a comment -

ah, you can simply create a copy of your imap plugin instead of modifying the current one, just change the new method to return false which indicates the md5 hashes shoudl be kept

Show
Petr Škoda (skodak) added a comment - ah, you can simply create a copy of your imap plugin instead of modifying the current one, just change the new method to return false which indicates the md5 hashes shoudl be kept
Hide
Permalink
Gary Anderson added a comment -

Yes, I think that is a good solution, Petr. A new plugin called something like cached IMAP.

It would use the md5 hash and only check the IMAP server in case of a non-match. And it would have the new method set to false. So, only two lines need to be changed.

It would, of course, have some understandable security tradeoffs like the storage of hashes and not letting the email server revoke access, but it does provide a nice solution for a more robust authentication method (in terms of not failing if the mail server goes down), and lets users have a single password for their institutions email and moodle site.

--Gary

Show
Gary Anderson added a comment - Yes, I think that is a good solution, Petr. A new plugin called something like cached IMAP. It would use the md5 hash and only check the IMAP server in case of a non-match. And it would have the new method set to false. So, only two lines need to be changed. It would, of course, have some understandable security tradeoffs like the storage of hashes and not letting the email server revoke access, but it does provide a nice solution for a more robust authentication method (in terms of not failing if the mail server goes down), and lets users have a single password for their institutions email and moodle site. --Gary
Hide
Permalink
Petr Škoda (skodak) added a comment -

please submit it into contrib section, others might like it too

Show
Petr Škoda (skodak) added a comment - please submit it into contrib section, others might like it too

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.