[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
From: "Joshua D. Drake" <..hidden..>
Date: Tue, 02 Oct 2007 09:53:00 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Nighswonger wrote:
> On 10/2/07, Joshua D. Drake <..hidden..> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Chris Nighswonger wrote:
>>> On 10/1/07, Chris Travers <..hidden..> wrote:
>>> Maybe hash it in the Java script (or whatever method you choose),
>>> store the hash in a cookie, transmit the hash, have the code unhash
>>> and pass the password to the DBI connect routine. Thus the only place
>>> the password is in plain text is in the connect routine. (One must
>>> wonder why the connect routine is not written to take hashed passwords
>>> to begin with.)
>> Or perhaps just require ssl connectivity to postgresql.
> 
> I had this thought as well, but was not sure whether this was
> considered part of deployment of LedgerSMB rather than coding and
> therefore the responsibility of the installer/admin. In any case ssl
> adds more security to the dataflow in general, whether or not it is
> the solution in this case.

IMO this is a problem, in general to the idea of having roles in the
database, regardless of application.

My take is very simple:

1. Document strongly that SSL enabled postgresql is the way to run
LedgerSMB. Provide links, howtos etc...

2. Document that if they are unable to use PostgreSQL with ssl that they
need a secondary authentication system such as http-auth in front of
PostgreSQL.

In short, imo this is an administrator problem, not a LSMB problem.

Joshua D. Drake

> 
> Chris
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
> 


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
			UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHAndrATb/zqfZUUQRApUjAJ9kLElZwZ/vteD/XtLdldRoT3VBfwCcD/vp
O1d968vyp42nyRDtskGhFIo=
=ozFg
-----END PGP SIGNATURE-----

References:
- Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Joshua D. Drake
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Joshua D. Drake
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Nighswonger
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Joshua D. Drake
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Nighswonger

Prev by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Previous by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Index(es):
- Date
- Thread