Feature/Security - Extend IP Whitelist functionality to all logins #14
Labels
Comments
|
As the ip whitelist has no use in a prod site, I think it would be fine to enforce it, if set, for both the normal passwords and the master passwords across the board without the need for a new option. Pull requests welcome |
aspark21
added a commit
to aspark21/moodle-auth_basic
that referenced
this issue
Jun 22, 2020
aspark21
added a commit
to aspark21/moodle-auth_basic
that referenced
this issue
Jun 29, 2020
aspark21
added a commit
to aspark21/moodle-auth_basic
that referenced
this issue
Jun 29, 2020
aspark21
added a commit
to aspark21/moodle-auth_basic
that referenced
this issue
Aug 12, 2020
brendanheywood
added a commit
that referenced
this issue
Mar 1, 2021
Extend IP Whitelist functionality to all logins #14
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As far as I can tell, this authentication method bypasses the Login Token (https://docs.moodle.org/dev/Login_token) security feature. Seems like it could make brute-forcing passwords slightly easier.
Interested by this plugin for the crawler tool, nothing else. So ideally this plugin, should only be available to a single account (the crawler tool account) or the IP of the server(s) which run the scheduled tasks/cron.
I can see the IP Whitelist setting is only used in relation to the master password option.
I think there should be an option to have an IP Whitelist for any use of this auth plugin, the real question is wether this should be a separate whitelist from the master password whitelist.
The text was updated successfully, but these errors were encountered: