Re: 1.3 is still a prerelease

[Chris Travers <..hidden..>]

On Fri, Jul 22, 2011 at 12:09 PM, John Griessen <..hidden..> wrote:

> I'm a gnucash user interested in the possibility of separating duties
> and also using my installation over the net from a couple of locations.
> I also am interested in your report templates and using
> keyboard-wedge-USB input devices.
>
> Will the security be tight enough to run ledgerSMB on a server
> connected to the internet?

If you require SSL.  1.3 security is pretty good but because of
authentication decisions you need to enable SSL if you are running
over a network.  Also I would recommend in 1.3 setting password
expirations to a sane number if running over the internet.

1.2 has some substantial design omissions in the security structure
which are documented in the manual.  1.3 does away with these.

> I would have to use it with web browser SSL always in that case -- is
> that supported now, or planned to?  What other security suggestions
> do you have for such an installation?

SSL is currently supported.

The second question has to do with supporting appropriate types of
PostgreSQL authentication methods.  Do you have a need to authenticate
against some form of single sign on server?  If so, we can support
LDAP and PAM as methods of authentication right now, and Kerberos
could be supported without a whole lot of work.

The thing you have to think about regarding security for an accounting
system is the fact that an internet attack can mess up your data in
ways that can be painful, but an insider attack is far more dangerous
because it can be used to cover for theft, pointing evidence at other
people and the like.  Therefore you need to carefully think about what
sorts of permissions you want to give people and take the separation
of duties side seriously.

Best Wishes,
Chris Travers