Improve handling of password-less (remote) users #8481

New Issue

Closed

opened 2025-12-29 20:37:16 +01:00 by adam · 5 comments

adam commented 2025-12-29 20:37:16 +01:00

Owner

Copy Link

Originally created by @pv2b on GitHub (Aug 17, 2023).

NetBox version

v3.5.8

Feature type

New functionality

Proposed functionality

The proposed functionality is to improve handling of password-less users by:

1. Allowing an administrator to remove a password for a user where a password already exists (similar to the /admin/auth/user/ID/change view)
2. Adding a column to the /admin/auth/user view to easilly be able to audit which users have local passwords set.
3. Disabling the "password" tab on the /user/profile/ view for users that have no password set. (And thus are unable to change it.)

Use case

As previously discussed in FR #11672, it is a commonly requested scenario to want to restrict the use of local authentication, for organizations that are using SSO. The Netbox development team have responded that they will not be adding an option to completely disable local authentication or the login form. Instead, the intended solution for an administrator desiring this kind of setup is to disable or remove all locally defined accounts.

(Note: A local account is created whenever a user first signs in with a social account, however, local login is prevented by the fact that this user has no password set.)

In order to better support that scenario, there are a few gaps in the current setup:

1. If a local user was created, and then was subsequently associated with a social user, that user will have a password, and there is no way to remove that password through the UI, once it's been set. For the use case where users were initially created in Netbox, but then are migrated over to SSO, it'd be useful to be able to remove their passwords, after the fact, thereby forcing those users to log in through SSO in future, without breaking any history.

2. For purpose of security auditing, it's neccessary to be able to see what users can bypass the SSO system and log in locally. It'd be convenient to be able to see this as an extra "checkbox" column on the admin view, instead of having to click every individual user.

3. For users that log in through SSO, and have no local passwords set, they will never be able to change their password anyway, so hiding this option in the UI is a good way to reduce clutter and confusion.

The underlying requirement is to be able to fulfill security standards in organization that, for example, require Netbox to be accessed from authorized devices only, in a zero-trust type scenario. In this case, the authentication provider ensures that logins happen only from authorized devices (outside the scope of Netbox), and local authentication needs to remain effectively disabled to maintain that security control, and regular audits need to be kept in place in order to ensure it remains disabled.

Database changes

None. This can all be done at the UI level.

External dependencies

None.

Originally created by @pv2b on GitHub (Aug 17, 2023). ### NetBox version v3.5.8 ### Feature type New functionality ### Proposed functionality The proposed functionality is to improve handling of password-less users by: 1. Allowing an administrator to remove a password for a user where a password already exists (similar to the `/admin/auth/user/ID/change` view) 2. Adding a column to the `/admin/auth/user` view to easilly be able to audit which users have local passwords set. 3. Disabling the "password" tab on the `/user/profile/` view for users that have no password set. (And thus are unable to change it.) ### Use case As previously discussed in FR #11672, it is a commonly requested scenario to want to restrict the use of local authentication, for organizations that are using SSO. The Netbox development team have responded that they will not be adding an option to completely disable local authentication or the login form. Instead, the intended solution for an administrator desiring this kind of setup is to disable or remove all locally defined accounts. (Note: A local account is created whenever a user first signs in with a social account, however, local login is prevented by the fact that this user has no password set.) In order to better support that scenario, there are a few gaps in the current setup: 1. If a local user was created, and then was subsequently associated with a social user, that user will have a password, and there is no way to remove that password through the UI, once it's been set. For the use case where users were initially created in Netbox, but then are migrated over to SSO, it'd be useful to be able to remove their passwords, after the fact, thereby forcing those users to log in through SSO in future, without breaking any history. 2. For purpose of security auditing, it's neccessary to be able to see what users can bypass the SSO system and log in locally. It'd be convenient to be able to see this as an extra "checkbox" column on the admin view, instead of having to click every individual user. 3. For users that log in through SSO, and have no local passwords set, they will never be able to change their password anyway, so hiding this option in the UI is a good way to reduce clutter and confusion. The underlying requirement is to be able to fulfill security standards in organization that, for example, require Netbox to be accessed from authorized devices only, in a zero-trust type scenario. In this case, the authentication provider ensures that logins happen only from authorized devices (outside the scope of Netbox), and local authentication needs to remain effectively disabled to maintain that security control, and regular audits need to be kept in place in order to ensure it remains disabled. ### Database changes None. This can all be done at the UI level. ### External dependencies None.

adam added the type: featurepending closure labels 2025-12-29 20:37:16 +01:00

adam closed this issue 2025-12-29 20:37:16 +01:00

adam commented 2025-12-29 20:37:17 +01:00

Author

Owner

Copy Link

@ITJamie commented on GitHub (Aug 17, 2023):

I agree with this for another usecase.

"service" accounts. ie users that are created just for API access and to show it was "app name" that made changes in the changelog.
those service account users shouldn't ever be able to be logged into so shouldn't have to have a password assigned.

@ITJamie commented on GitHub (Aug 17, 2023): I agree with this for another usecase. "service" accounts. ie users that are created just for API access and to show it was "app name" that made changes in the changelog. those service account users shouldn't ever be able to be logged into so shouldn't have to have a password assigned.

adam commented 2025-12-29 20:37:17 +01:00

Author

Owner

Copy Link

@pv2b commented on GitHub (Aug 17, 2023):

I agree with this for another usecase.

"service" accounts. ie users that are created just for API access and to show it was "app name" that made changes in the changelog. those service account users shouldn't ever be able to be logged into so shouldn't have to have a password assigned.

For that use case you'd ideally need to add another line item to the proposed functionality:

• When adding a user through /admin/auth/user/add, allow that user to be created with no password.

This could also support the idea of pre-creating users you expect to show in in social auth, so you can assign permissions to them before their first login.

But this might be best tracked as a seperate FR?

@pv2b commented on GitHub (Aug 17, 2023): > I agree with this for another usecase. > > "service" accounts. ie users that are created just for API access and to show it was "app name" that made changes in the changelog. those service account users shouldn't ever be able to be logged into so shouldn't have to have a password assigned. For that use case you'd ideally need to add another line item to the proposed functionality: - When adding a user through `/admin/auth/user/add`, allow that user to be created with no password. This could also support the idea of pre-creating users you expect to show in in social auth, so you can assign permissions to them before their first login. But this might be best tracked as a seperate FR?

adam commented 2025-12-29 20:37:17 +01:00

Author

Owner

Copy Link

@pv2b commented on GitHub (Aug 17, 2023):

For reference, if anyone needs to be able to do 1 and 2, pending this FR, this can be done through nbshell.

1. To get a list of users who have local passwords set:

[u.username for u in AdminUser.objects.all() if u.has_usable_password()]

2. To remove a password for a single user:

u = AdminUser.objects.get(username='ExampleUsername')
u.set_unusable_password()
u.save()

@pv2b commented on GitHub (Aug 17, 2023): For reference, if anyone needs to be able to do 1 and 2, pending this FR, this can be done through [nbshell](https://demo.netbox.dev/static/docs/administration/netbox-shell/). 1. To get a list of users who have local passwords set: ```python [u.username for u in AdminUser.objects.all() if u.has_usable_password()] ``` 2. To remove a password for a single user: ```python u = AdminUser.objects.get(username='ExampleUsername') u.set_unusable_password() u.save() ```

adam commented 2025-12-29 20:37:17 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Nov 16, 2023):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Nov 16, 2023): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam commented 2025-12-29 20:37:17 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Dec 16, 2023):

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

@github-actions[bot] commented on GitHub (Dec 16, 2023): This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

21102-fix-graphiql-explorer

update-changelog-comments-docs

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label pending closure type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#8481