Issue 601: Disable (password) Regenerate button in LDAP authentication mode
Status:  Released
Owner:
Closed:  Mar 2012
Reported by jjhel...@gmail.com, Jun 18, 2010
Settings/SSH Keys next to the username/password fields there is a button called Regenerate.

When users (accidentally) press that button, a password gets created for the user's SSH account.

Once you click it once, the password field in account_external_ids gets set to a new random password.

This causes every git SSH operation now prompt for a password, even if things were working fine before clicking the Regenerate button.

It's not possible to NULL out the password in the UI.  You can only regenerate a new random password, but there's no option to unset it.

I think it'd be best to be able to disable this button completely when in LDAP mode.  At least I don't see how this feature could provide any value, since authentication for git operations is already done via SSH keys.

Not sure if this applies to other authentication methods.

Jul 1, 2010
Project Member #1 edwin.ke...@gmail.com
I agree that it makes not much sense to generate a password in case LDAP is used for authentication. As said login into Gerrit WebUI is handled by LDAP and Git communication is secured by using SSH. So there is not much value in having this generated password. On the other hand in case of LDAP it is annoying that once the user (accidentially) generated a password there is no way back and the password has always to be provided for the Git SSH operations.
Are there any reasons against always disabling this button in case of LDAP authentication?
Jul 15, 2010
Project Member #2 edwin.ke...@gmail.com
There is a change for review that allows the user to clear the password:
https://review.source.android.com/15829

With this users can simply remove the password if they have accidentially clicked on the 'Generate Password' button.
Jul 15, 2010
#3 sop@google.com
Right.  So this password exists for HTTP repository access, for URLs
like http://review.example.com/p/project.git.  If you need to login
to access the project (or are pushing), we use your username and a
password that is dedicated to this repository access purpose.  That
way its lower risk to embed the password in your ~/.netrc.

I put in a clear button in change 15829 as Edwin points out above,
but I'm not sure we should actually disable this feature.
Status: Started
Owner: s...@google.com
Jul 15, 2010
#4 sop@google.com
(No comment was entered for this change.)
Labels: Milestone-2.1.4
Jul 15, 2010
#5 sop@google.com
So thinking about it further, we don't want to disable the
feature altogether, doing so would prevent http:// style of
repository access.  The better way to do that is to support
turning off http:// access altogether, not by hiding the
password field in the web UI when LDAP is enabled.

So I'm closing this issue as completed since we now have a
way for a user to clear the password they accidentally made.
Status: Fixed
Labels: -Milestone-2.1.4 FixedIn-2.1.4
Mar 27, 2012
#6 sop@google.com
(No comment was entered for this change.)
Status: Released