AD user password hashes are stored in Gitea database

[songmeo]

• Gitea version: 1.12.6
• Database
  • MySQL

Description

We are using LDAP Active Directory for Gitea authentication. Recently, we noticed AD users password hashes are stored in Gitea database. This shouldn't be the best practice since we already have LDAP.

[zeripath]

AFAICS password hashes can only end up stored there if your users add them.

But why are your users doing that? Well... The ultimate issue is that basic authentication can only authenticate one of the possible three ways:

• Token
• OAuthAccessToken
• InternalDB hash check.

So if your users are doing git over http(s), API basic calls or LFS without ssh then they will very likely end up setting passwords on the local db - because that's easier than creating a token or OAuthAccessToken because they won't understand the issue.

Now can we do better?

Well one thing we're thinking about is banning basic authentication with password hashing in any case - as it's too expensive on reasonable hashing systems.

But we also need to be able to make it possible to prevent external users from becoming local users.

[lafriks]

I don't think we store actual password, just random password hash