Solution for User Password + Viewing ticket status

Greetings,

First-time contributor to the list, but I’ve been browsing the archives extensively, hopefully I don’t go off-topic here. I have several issues to present to the list, I’ll do each of them in their own email as to keep the threads tidy. I also know just enough perl to be dangerous, and not nearly enough to be an expert… Here goes:

I wanted the ability for my ticket requestors to view the status of their tickets using the /SelfService section of RT. However, I wanted the auto-reply and login process to be automated. Obviously, RT doesn’t have a way to randomly generate passwords, so I edited lib/RT/User.pm and changed “$args{‘Password’} = ‘NO-PASSWORD’;” to $args{‘Password’} = crypt($args{‘Name’}, $salt); — This effectively makes the password the same as their email address and it’s working perfectly. When I send them the auto-reply template, I include the following URL:
http://mysite.com/SelfService/Display.html?id={$Ticket->id()}&user={$Ticket->CreatorObj->Name}&pass={$Ticket->CreatorObj->Name}

It works PERFECTLY

OBviously my only concern here is security. Once my customers realize that their password is the same as their email address, I may have a few get curious and decide to browse other tickets. I need to prevent this.

I’m proposing the following and I’d like pointers on the best way to implement this:

** Since there’s no way for the method that sets the password in the database to talk to my template and tell it what password it chose, I’d like to base the password on the email address, but run it through some sort of non-secure encryption on both sides (something cheesy like shifting all the characters up 10 is the general idea… just something both sides can agree upon, and the result will be the same). I realize this is security by obscurity (banking on the customer not being able to figure out what algorythm you used to generate their password) but it’s MUCH better than what I’ve got now.

So I would set the password using $password = myencrypt(email_address) – but how do I tie this in on the template side?

All help is appreciated.

Brian

Can you instead use external authentication to an existing system? That way,
you could care less about RT’s version of passwords (very good from a
security perspective, since there’s no real password management in RT [nor
should there be since RT’s mission in life really shouldn’t include
significant user management minutae]) and users as of their first use would
be able to access self service.

Thanks,
Christian

Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group

-----Original Message-----
From: rt-users-admin@lists.fsck.com
[mailto:rt-users-admin@lists.fsck.com]On Behalf Of Brian Shellabarger
Sent: Thursday, November 07, 2002 1:16 PM
To: rt-users@lists.fsck.com
Subject: [rt-users] Solution for User Password + Viewing ticket status

Greetings,

First-time contributor to the list, but I’ve been browsing
the archives extensively, hopefully I don’t go off-topic
here. I have several issues to present to the list, I’ll do
each of them in their own email as to keep the threads tidy.
I also know just enough perl to be dangerous, and not nearly
enough to be an expert… Here goes:

I wanted the ability for my ticket requestors to view the
status of their tickets using the /SelfService section of RT.
However, I wanted the auto-reply and login process to be
automated. Obviously, RT doesn’t have a way to randomly
generate passwords, so I edited lib/RT/User.pm and changed
“$args{‘Password’} = ‘NO-PASSWORD’;” to $args{‘Password’} =
crypt($args{‘Name’}, $salt); — This effectively makes the
password the same as their email address and it’s working
perfectly. When I send them the auto-reply template, I
include the following URL:
http://mysite.com/SelfService/Display.html?id={$Ticket->id()}&
user={$Ticket->CreatorObj->Name}&pass={$Ticket->CreatorObj->Name}

It works PERFECTLY

OBviously my only concern here is security. Once my customers realize that
their password is the same as their email address, I may have a few get
curious and decide to browse other tickets. I need to prevent this.

I’m proposing the following and I’d like pointers on the best way to
implement this:

** Since there’s no way for the method that sets the password in the
database to talk to my template and tell it what password it chose, I’d like
to base the password on the email address, but run it through some sort of
non-secure encryption on both sides (something cheesy like shifting all the
characters up 10 is the general idea… just something both sides can agree
upon, and the result will be the same). I realize this is security by
obscurity (banking on the customer not being able to figure out what
algorythm you used to generate their password) but it’s MUCH better than
what I’ve got now.

So I would set the password using $password = myencrypt(email_address) –
but how do I tie this in on the template side?

All help is appreciated.

Brian

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

winmail.dat (3.51 KB)

The following template will send users an autogenerated random
pronouncable password based if inserted into an autoreply template

Users who have previously submitted tickets but not yet had a password assigned
will have a password assigned and sent on submission of their first new ticket. (All previous tickets will still show up in the web ui)

Best,
Jesse

=============== CUT HERE =====================

{
*RT::User::GenerateRandomNextChar = &RT::User::_GenerateRandomNextChar;

if (($Transaction->CreatorObj->id != $RT::Nobody->id) &&
(!$Transaction->CreatorObj->Privileged) &&
($Transaction->CreatorObj->__Value(‘Password’) eq ‘NO-PASSWORD’)
) {

    my $user = RT::User->new($RT::SystemUser);
    $user->Load($Transaction->CreatorObj->Id);
    my ($stat, $pass) = $user->SetRandomPassword();

    if (!$stat) {
            $OUT .=

“An internal error has occurred. RT was not able to set a password for you.
Please contact your local RT administrator for assistance.”;

    }

$out .= "
You can check the current status and history of your requests at:

    ".$RT::WebURL."

When prompted, enter the following username and password:

    Username: ".$user->Name."
    Password: ".$pass."

";
}
}

================ CUT HERE ===================

»|« Request Tracker — Best Practical Solutions – Trouble Ticketing. Free.