Protect system initialization with a passcode
When the system is started for the first time the system administrator has to take notice of the randomly generated passwords for the system. This happens using the initialization website (#4 (closed)). That page is currently not protected so everyone on the network could see the generated passwords. In order to prevent unauthorized from seeing this sensitive data the page should be protected with a password.
Reasons
- highly valuable data is publicly exposed
- everyone on the network could see system's root passwords
New Features
What feature(s) did you add?
Desired order of events:
- user opens initialization page
- init page prompts for password
- password is shown on the device's display
- user reads the password off the device
- user enters the password on the init page
- init page shows the system passwords
How did you implement it/them?
When a user enters the initialization page:
- generate an authentication code
- show the authentication code on the display
- store the authentication code in the user's session
- when an authentication code is entered check if it matches the one in the user's session
- if it does: the user had access to the device and is (probably) an administrator -> show the initialization page
- if it doesn't: tell the user that the code is wrong and allow him to generate a new one
Overview of the commits
The commits are a little overarching on the points, so here's the list of the commits with a little explaination
- protect initialization page with a code shown on the display [4fa3fd4e]
- only show "invalid auth_code"-message if it is really invalid, otherwise reset session and generate new code [0fe7b71d]
- styled init page authentication process [9a03d4a3]
Preview
Login
Wrong passcode
Page displayed after correct passcode:
Thanks for reading
Jan, for PCSG Developers
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
You can contact us on Discord.
[utopian-moderator]
Thank you vladimir! :-)
Hey @vladimir-simovic, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!
Hey @pcsg-dev I am @utopian-io. I have just upvoted you!
Achievements
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x