I made an authenticator for a workshop we had this week and wanted to show it off in case others found it useful. The short version is that with this dummyAuthenticator mod you can securely configure an administrator password alongside the user password. There are also restrictions in place to prevent misconfiguration as well as users from breaking into admin accounts, which is a major concern when using dummyAuthenticator alongside admin_users for simple administrative access for ad-hoc users. You can find it over on my github! It requires JH 1.0 in order to work.
We had previously used the github authenticator for an IEEE event, but we knew better than to try and get dozens of users to accept an organizational invite to filter users properly/safely, so we just left it open to any github account and hoped no one would notice. With this, you still have a barrier to entry while supporting ad-hoc users and allowing admin accounts.
You can configure admin usernames for use with dummyAuthenticator, but it’s trivial to copy the username and get access to an admin session. Admin status is much better protected through a password than username whitelisting. This system also prevents a similar attack by hooking into the orm and locking accounts to their respective passwords after creation (which is why I’m not making a PR to update dummyAuthenticator). The level of an existing account can only be changed by an administrator.
The system also protects against misconfigurations by requiring a password be set for admin access and requiring it to be different from the user password in order to work. Z2JH integration is relatively straightforward, though I don’t have it documented as I built it in to our Z2JH hub images.
Let me know what you think! It’s been awhile since I’ve worked on JH stuff and I’m pretty pleased with it.