#7399 FreeIPA login page fights Firefox password manager
Opened 2 years ago by mcepl. Modified 2 years ago

Issue

When going to https://account.gnome.org/ipa/ui/ and enter username and password, Firefox 59 doesn't recognize it as such and doesn't offer saving of the credentials to the protected password storage (not using any external password manager like LastPass or something, just using the default built-in stuff in Firefox).

Steps to Reproduce

  1. go to https://account.gnome.org/ipa/ui/ with Firefox 59
  2. enter credentials and press [Login] button

Actual behavior

I enter credentials protected page and I can manage my account, however, Firefox doesn't do anything

Expected behavior

Firefox should notice I have entered so far unknown credentials and offer to save them.

Version/Release/Distribution

no idea, whatever is on https://account.gnome.org/ipa/ui/


I think this is expected behavior. Saving the password would be particularly problematic for the OTP case.

I just can't figure out the internals. Petr, do you know?

Metadata Update from @rcritten:
- Custom field cc adjusted to pvoborni@redhat.com

2 years ago

Google, Microsoft, my bank, etc. are all happy with storing my credentials in my browser (and thus supporting long and difficult-to-remember passwords), but FreeIPA intentionally forces users to simple easily hackable passwords? Weird.

If you have OTP enabled on the account and Firefox saves the password, what then?

Either way there are a multitude of other mechanisms to use complex passwords than relying on Firefox to do so.

To clarify a possible misunderstanding:

Google, Github, and similar sites use a two step login for OTP. First you have to enter login name plus password and press "login". On the next page, you are asked to enter an 2FA token like U2F, HOTP or TOTP.

For technical reasons related to Kerberos, freeIPA cannot do a two step login for 2FA. You have to enter password + OTP as one string in the password field.

@pvoborni @rcritten @simo Would it make sense to split the password field into a password-only field and an optional 2FA field? This would allow users to store login + passphrase in a password manager and still supply a 2FA token that is not stored in password manager. On the server side, we could just join both strings and send them as one password string to the KDC.

we already have a separate ticket for splitting the password field. Sorry, cannot find it right now, though.

I can't find one either.

I've split the password in temp patch I'm preparing for #7068. https://github.com/freeipa/freeipa/commit/d6449bad1568f7436bb4bd89c4511edbc5b68a40 (I wonder why the link looks as if it was pushed).

I've split the password in temp patch I'm prepareing for #7068. https://github.com/freeipa/freeipa/commit/d6449bad1568f7436bb4bd89c4511edbc5b68a40 (I wonder why the link looks as if it was pushed).

The patch looks OK, please submit it as a separate pull request. Regarding the link: it is due how Github works with pull requests: when you propose a pull request, server-side github creates a branch named pull/<pr number="">.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8

2 years ago

Login to comment on this ticket.

Metadata