[rt-users] Solution for User Password + Viewing ticket status

Christian Gilmore cgilmore at tivoli.com
Thu Nov 7 14:56:59 EST 2002


Can you instead use external authentication to an existing system? That way,
you could care less about RT's version of passwords (very good from a
security perspective, since there's no real password management in RT [nor
should there be since RT's mission in life really shouldn't include
significant user management minutae]) and users as of their first use would
be able to access self service.

Thanks,
Christian

-----------------
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group


> -----Original Message-----
> From: rt-users-admin at lists.fsck.com
> [mailto:rt-users-admin at lists.fsck.com]On Behalf Of Brian Shellabarger
> Sent: Thursday, November 07, 2002 1:16 PM
> To: rt-users at lists.fsck.com
> Subject: [rt-users] Solution for User Password + Viewing ticket status
> 
> 
> 
> Greetings,
> 
> First-time contributor to the list, but I've been browsing 
> the archives extensively, hopefully I don't go off-topic 
> here. I have several issues to present to the list, I'll do 
> each of them in their own email as to keep the threads tidy. 
> I also know just enough perl to be dangerous, and not nearly 
> enough to be an expert..  Here goes:
> 
> I wanted the ability for my ticket requestors to view the 
> status of their tickets using the /SelfService section of RT. 
> However, I wanted the auto-reply and login process to be 
> automated. Obviously, RT doesn't have a way to randomly 
> generate passwords, so I edited lib/RT/User.pm and changed 
> "$args{'Password'} = '*NO-PASSWORD*';" to $args{'Password'} = 
> crypt($args{'Name'}, $salt); --- This effectively makes the 
> password the same as their email address and it's working 
> perfectly. When I send them the auto-reply template, I 
> include the following URL:
> http://mysite.com/SelfService/Display.html?id={$Ticket->id()}&
user={$Ticket->CreatorObj->Name}&pass={$Ticket->CreatorObj->Name}

It works *PERFECTLY*

OBviously my only concern here is security. Once my customers realize that
their password is the same as their email address, I may have a few get
curious and decide to browse other tickets. I need to prevent this.

I'm proposing the following and I'd like pointers on the best way to
implement this:

** Since there's no way for the method that sets the password in the
database to talk to my template and tell it what password it chose, I'd like
to base the password on the email address, but run it through some sort of
non-secure encryption on both sides (something cheesy like shifting all the
characters up 10 is the general idea.. just something both sides can agree
upon, and the result will be the same). I realize this is security by
obscurity (banking on the customer not being able to figure out what
algorythm you used to generate their password) but it's MUCH better than
what I've got now.

So I would set the password using $password = myencrypt(email_address) --
but how do I tie this in on the template side?

All help is appreciated. :)

Brian


_______________________________________________
rt-users mailing list
rt-users at lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3596 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20021107/42ba9737/attachment.bin>


More information about the rt-users mailing list