[Systems] Account management.

[Sascha Silbe]

On Tue, Oct 13, 2009 at 04:19:10PM -0500, David Farning wrote:

> Are there particular sign on mechanisms that I should look into?
Please use something that does _not_ require the user to type in a 
password every time a service is used. I currently have to do that for 
Trac and it's _really_ annoying.
For ssh, public key authentication works great (and can optionally ask a 
password locally if you want), so the SSO stuff only needs to 
use/support it. This is the Gold Standard of authentication (at least 
IMO).
For HTTP, client certificates are a PITA, but I don't know of anything 
else that solves the no-password problem. "Automatic" login (i.e. 
recognizing the certificate without redirecting the user to a special 
"log in" page that just sets some cookies) and identifying the user by 
public key of the certificate (instead of relying on a CA to provide 
unique values in some certificate fields) are very important for real 
user-friendlyness, but unfortunately unsupported by the majority of web 
services (provided they support certificate login at all - most don't).

Sorry for presenting requirements and problems instead of real 
solutions.


PS: If you do support authentication using passwords, please check for 
quality passwords instead of periodically expiring them. The latter just 
leads to the users choosing weak passwords because they can't remember 
strong ones often/easily enough.

CU Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://lists.sugarlabs.org/private/systems/attachments/20091014/0e11e6ee/attachment.pgp