A CKAN extension to hold various security improvements for CKAN, including:
- Stronger password reset tokens
- Uses any 2 character sets for password validations.The character sets are uppercase characters, lowercase characters, digits, and special characters.
- Brute force protection
- Cookie-based CSRF protection for requests
- Removed ability to change usernames after signup
- Server-side session storage
- Session invalidation on logout
- Stronger password validators (NZISM compatible)
- When users try to reset a password for an email address, CKAN will no longer disclose whether or not that email address exists in the DB.
- Hide user profiles and user list from users not logged in
- Check for profanity and sensitive words, like "hack", in usernames and user descriptions.
Reset tokens are generated using os.urandom(16) instead of CKAN's default
uuid.uuid4().hex[:10].
Users attempting to log in more than ckanext.security.login_max_count times
within ckanext.security.lock_timeout seconds from a single IP address will be
temporarily locked out.
By default, this means that after 10 unsuccessful login attempts within 15 minutes the login will be disabled for another 15 minutes.
A notification email will be sent to locked out users.
- Session- and CSRFMiddleware need to be placed at the bottom of the middleware
stack. This requires to patch
ckan.config.middleware.pylons_app. The patch is currently available in the data.govt.nz CKAN repository on thediabranch, or commit74f78865for cherry-pick. - A running memcached instance and
libmemcached-dev.
You will need at least the following setting ins your who.ini
[plugin:use_beaker]
use = repoze.who.plugins.use_beaker:make_plugin
key_name = ckan_session
delete_on_logout = True
[plugin:friendlyform]
# <your other settings here>
rememberer_name = use_beaker
[identifiers]
plugins =
friendlyform;browser
use_beaker
[authenticators]
plugins =
ckanext.security.authenticator:CKANLoginThrottle
ckanext.security.authenticator:BeakerMemcachedAuthFor better security, make sure you harden your session configuration (in your ckan config file). See for example the settings below.
[app:main]
# <your other settings here>
beaker.session.key = ckan_session
# Your session secret should be a long, random and secret string!
beaker.session.secret = beaker-secret
beaker.session.data_serializer = json
beaker.session.httponly = true
beaker.session.secure = true
beaker.session.timeout = 3600
beaker.session.save_accessed_time = true
beaker.session.type = ext:memcached
beaker.session.url = 127.0.0.1:11211
beaker.session.memcache_module = pylibmc
beaker.session.cookie_expires = true
# Your domain should show here.
beaker.session.cookie_domain = 192.168.232.65## Security
ckanext.security.memcached = 127.0.0.1:11211 # Memcached URL
ckanext.security.domain = 192.168.232.65 # Cookie domain
# 15 minute timeout with 10 attempts
ckanext.security.lock_timeout = 900 # Login throttling lock period
ckanext.security.login_max_count = 10 # Login throttling attempt limitYou can use pip to install this plugin into your virtual environment:
pip install --process-dependency-links -e 'https://github.com/data-govt-nz/ckanext-security.git#egg=ckanext-security==0.1.0'NOTE: The ``--process-dependency-links` flag has officially been deprecated, but has not been removed from pip, because it is the currently the only setuptools-supported way for specifying private repo dependencies
Then modify your CKAN config to point the extension at your memcached instance:
ckanext.security.memcached = 127.0.0.1:11211Finally, add security to ckan.plugins in your config file.
- If your service is responding with
Internal Server Error, try usingpaster request <config> /. If you see aValueError: No Beaker session (beaker.session) in environmentthen you have not installed the patch to CKAN correctly.