diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-April/003400.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-April/003400.html | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-April/003400.html b/zarb-ml/mageia-sysadm/2011-April/003400.html new file mode 100644 index 000000000..f7db706d8 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-April/003400.html @@ -0,0 +1,171 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Users authentication on forums + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C20110426182441.GF21938%40mars-attacks.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="003372.html"> + <LINK REL="Next" HREF="003402.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Users authentication on forums</H1> + <B>nicolas vigier</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C20110426182441.GF21938%40mars-attacks.org%3E" + TITLE="[Mageia-sysadm] Users authentication on forums">boklm at mars-attacks.org + </A><BR> + <I>Tue Apr 26 20:24:41 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="003372.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI>Next message: <A HREF="003402.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3400">[ date ]</a> + <a href="thread.html#3400">[ thread ]</a> + <a href="subject.html#3400">[ subject ]</a> + <a href="author.html#3400">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Tue, 19 Apr 2011, Michael Scherer wrote: + +><i> Le lundi 11 avril 2011 à 14:39 +0200, nicolas vigier a écrit : +</I>><i> > Hello, +</I>><i> > +</I>><i> > For authentication on the forums, we are currently using ldap. The user +</I>><i> > sends his login and passwords to phpbb which use it to authenticate on +</I>><i> > ldap server. Because of this, someone with root access on the forums +</I>><i> > server can access password of any user connecting to the forums. And +</I>><i> > because important passwords are transfered, the connection needs to be +</I>><i> > in SSL, so the *.mageia.org certificate also needs to be installed. So +</I>><i> > access to the server needs to be restricted to sysadmin team only, who +</I>><i> > also need to be able to check what is being done on forums, check it is +</I>><i> > secure, etc ... And I think this makes forums admins not happy. +</I>><i> +</I>><i> Then what about doing like french forums, and not connect at all to our +</I>><i> ldap. +</I>><i> +</I>><i> This let people the whole freedom to do what they want and allow us to +</I>><i> focus on stuff that we need ( like deploying everything that need to be +</I>><i> deployed, wiki, bittorrent server, etc, see the bugzilla for list of +</I>><i> thing to do ). +</I> +Yes, that's what I was thinking first. One day that I decided to be +lazy and started to think how to get ride of forums. Maybe that is not +a good idea. But it was planned to migrate forums to an other server +installed and managed by other people, and we have the same problem in +that case, that other people not in sysadmin team are root on this server. +But even if we don't do that and continue to be the only root on the +server, someone hacking the phpbb server could easily add a password +logger in source code and steal passwords allowing access to svn or some +other servers. + +So to avoid a security hole in one web app to give access to everything, +I think it would be useful to separate authentication part. Actually I +don't know enough about openid, oauth and other protocols to say which +one is better. But we can see this with help of webteam. + +><i> +</I>><i> - we would need to make changes to applications, in a non upstreamable +</I>><i> way. It was one of the point in favor of ldap , that everything can be +</I>><i> easy to share. If we start to go this way, we will end like each time we +</I>><i> go this way, with a huge forked stuff. Packagers learned this the hard +</I>><i> way more than once. And lack of time + big pile of customization is what +</I>><i> blocked forum upgrade for years, so I really think we start to learn +</I>><i> from our past mistakes. +</I> +I think a phpbb oauth plugin could be upstreamable. There is already an +openid plugin, where we could add an option to force openid server, and +maybe upstream this option. + +><i> - openid/oauth manage the authentication ( and some vcard stuff ) but +</I>><i> not the autorisation. For example, Transifex ( and others django +</I>><i> application ) do use ldap groups for autorisation and I think that's +</I>><i> rather a good idea to manage this using ldap. +</I>><i> +</I>><i> While it is not the case right now for forums, as said before, there was +</I>><i> some discussions about having i18n/packagers/etc people having extended +</I>><i> rights on some subforums, this would be harder to be done cleanly +</I>><i> without a ldap access. +</I> +I though it was too difficult to do it in phpbb, so we decided to not +use ldap groups in phpbb. But using external authentication does not +prevent us to use ldap groups. It should be possible to give limited +ldap access to phpbb to read group infos and use something else for +authentication. + +><i> - moreover, keeping group of people outside of our ldap would make +</I>><i> various process harder. +</I>><i> +</I>><i> For example, if we want to elect moderators representatives, this would +</I>><i> be tedious to do it on epoll if the group is stored elsewhere ( it is +</I>><i> tedious now but there is some bug to fix for that ). If we want to setup +</I>><i> a ml synced with ldap ( like board-private@ ), this would also cause +</I>><i> data duplication. Email aliases are also based on ldap group membership, +</I>><i> etc. +</I> +I agree that we shouldn't store groups elsewhere. + +><i> - Most web applications will also need to access to email of users for +</I>><i> various reasons ( like sending email ), most will also store the email +</I>><i> for later usage. That's personal information that we should also protect +</I>><i> and I think the various threads on the subject in the past, or the +</I>><i> recent issue regarding Epsilon, or Google show that enough people care +</I>><i> about that. We cannot share them with anyone without having this written +</I>><i> in the privacy policy, ( policy that is still a draft cf bug 452 ) and +</I>><i> told to users. +</I>><i> +</I>><i> +</I>><i> - Moreover, if we start to give private informations to 3rd party +</I>><i> websites, they should IMHO also have a privacy policy, and respect it. +</I>><i> But yet, we cannot do much to make sure it is enforced or respected, +</I>><i> unless if we are root. And if we are root on the server, then I see no +</I>><i> reason to not handle like the others ( ie, puppet etc ). Then we are +</I>><i> back on the same issues that sparkled the proposal. +</I>><i> +</I>><i> +</I>><i> - As said on irc, there is the security issues. While we can suffer from +</I>><i> it on our servers too, this would be a wrong way of evaluating the risk. +</I>><i> If we take for example X external web sites, managed by X different +</I>><i> group, and the Mageia web applications, there is more attack surface +</I>><i> ( around X+1 time more ) than just having the Mageia applications. And +</I>><i> unless we can guarantee that all 3rd party admins will be skilled enough +</I>><i> in the arcane of security, the risk would likely be bigger than smaller. +</I> +I think using an authentication server is better for security : + - without authentication server, all web sites receive the ldap + password, and have read/write access to the ldap from the user + account. Someone taking control of one website can access all + passwords of users connecting. + - with authentication server, the web sites (except authentication + web site) do not receive the password, so they cannot steal it, cannot + authenticate on other websites. It's bad if one of the website is + attacked, but it doesn't give access to the svn or other websites. + +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="003372.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI>Next message: <A HREF="003402.html">[Mageia-sysadm] Users authentication on forums +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3400">[ date ]</a> + <a href="thread.html#3400">[ thread ]</a> + <a href="subject.html#3400">[ subject ]</a> + <a href="author.html#3400">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |