| Issue 601: | Disable (password) Regenerate button in LDAP authentication mode | |
| 4 people starred this issue and may be notified of changes. | Back to list |
Settings/SSH Keys next to the username/password fields there is a button called Regenerate. When users (accidentally) press that button, a password gets created for the user's SSH account. Once you click it once, the password field in account_external_ids gets set to a new random password. This causes every git SSH operation now prompt for a password, even if things were working fine before clicking the Regenerate button. It's not possible to NULL out the password in the UI. You can only regenerate a new random password, but there's no option to unset it. I think it'd be best to be able to disable this button completely when in LDAP mode. At least I don't see how this feature could provide any value, since authentication for git operations is already done via SSH keys. Not sure if this applies to other authentication methods.
Jul 1, 2010
Project Member
#1
edwin.ke...@gmail.com
Jul 15, 2010
There is a change for review that allows the user to clear the password: https://review.source.android.com/15829 With this users can simply remove the password if they have accidentially clicked on the 'Generate Password' button.
Jul 15, 2010
Right. So this password exists for HTTP repository access, for URLs like http://review.example.com/p/project.git. If you need to login to access the project (or are pushing), we use your username and a password that is dedicated to this repository access purpose. That way its lower risk to embed the password in your ~/.netrc. I put in a clear button in change 15829 as Edwin points out above, but I'm not sure we should actually disable this feature.
Status:
Started
Owner: s...@google.com
Jul 15, 2010
(No comment was entered for this change.)
Labels:
Milestone-2.1.4
Jul 15, 2010
So thinking about it further, we don't want to disable the feature altogether, doing so would prevent http:// style of repository access. The better way to do that is to support turning off http:// access altogether, not by hiding the password field in the web UI when LDAP is enabled. So I'm closing this issue as completed since we now have a way for a user to clear the password they accidentally made.
Status:
Fixed
Labels: -Milestone-2.1.4 FixedIn-2.1.4
Mar 27, 2012
(No comment was entered for this change.)
Status:
Released
|
|
| ► Sign in to add a comment |