BIND 10 #2641: Disable default account, require authentication setup during initialization

[BIND 10 Development]

#2641: Disable default account, require authentication setup during initialization
-------------------------------------+-------------------------------------
            Reporter:  shane         |                        Owner:  muks
                Type:  enhancement   |                       Status:
            Priority:  very high     |  reviewing
           Component:  bind-ctl      |                    Milestone:
            Keywords:                |  Sprint-20130305
           Sensitive:  0             |                   Resolution:
         Sub-Project:  Core          |                 CVSS Scoring:
Estimated Difficulty:  4             |              Defect Severity:  N/A
         Total Hours:  0             |  Feature Depending on Ticket:
                                     |          Add Hours to Ticket:  0
                                     |                    Internal?:  0
-------------------------------------+-------------------------------------

Comment (by shane):

 Replying to [comment:17 jinmei]:
 > But, on thinking about this more closely, a more fundamental point
 > occurred to me.  I now think it's probably not really a good idea to
 > introduce things like `_have_users` in the first place.  Not being a
 > security expert, my general sense of security is that it's generally a
 > bad practice to give a possibly untrusted remote user unnecessary
 > state at the server side.  For a login session, the should simply say
 > the login succeeds or not for the given user name and password; it's
 > not wise to tell the user if the password file exists or the list is
 > empty.  In that sense, the existing code would also be not really
 > good; I guess we shouldn't terminate the connection immediately after
 > cmdctl finds the file isn't accessible, but it should reject the login
 > request due to that just like the case where the user/password doesn't
 > match.
 >
 > If we need to give the user a hint for possible diagnosis (like "you
 > should probably check the cmdctl log"), that should be a local
 > extension to bindctl, not based on a response from cmdctl.

 It's still annoying to have to type in a user name & password to be told
 "hey, maybe you should, you know, set up the system?"... but it does make
 sense from general security principles.

 So, the approach would be:

 * On failed login, check to see if the user has logged in successfully
 ever (this can be stored in the ~/.bind10/ directory, perhaps even in the
 ~/.bind10/default_user.csv). If not, then output a message saying
 something like Jinmei describes, although possibly more explicit:

     Login failed: either the user name or password is invalid.
     When the system is first set up you need to create at least one user
 account. For
     information on how to set up a BIND 10 system, please check see the
 BIND 10 Guide:
         http://bind10.isc.org/docs/bind10-guide.html#quick-start-auth-dns
     If a user account has been set up, please check the b10-cmdctl log for
 other
     information.

 * On a successful login, set the flag to indicate that the user has at one
 point logged in. This is to prevent the helpful message above ''after''
 the system has actually ben setup - when it is no longer helpful.

-- 
Ticket URL: <http://bind10.isc.org/ticket/2641#comment:19>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development