[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
From: "Joshua D. Drake" <..hidden..>
Date: Wed, 03 Oct 2007 10:42:48 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Travers wrote:
> On 10/3/07, Joshua D. Drake <..hidden..> wrote:

> Apache/PostgreSQL authentication can still be done via any auth method.  SSL
> would be nice for this leg but it is not where the issue is (which is
> between the browser and Apache).
> 
> So I think we definitely should recommend the use of SSL on that leg, but I
> am not convinced we can't trust administrators to make intelligent choices
> here.

This is not our problem. Using your argument, not a single person should
ever install Ubuntu because they can gain root access and destroy their
data.

Our responsibility is to recommend best practices for running LSMB and
provide the information required to implement those practices.

If the administrator doesn't follow those practices, sucks to be them.

> 
> Further, we should make it part of the requirements that a user use
>> https to talk to lsmb as well.
> 
> 
> 
> Agreed that this should be  a documented requirement for any access over the
> network.
> 
> One thing we *can* do is change the default configuration to only accept
> connections to the app on the Apache side from Localhost.  This way they
> have to knowingly change it.  It is similar to the approach PostgreSQL
> takes.  You want to run this over a network? You have to explicitly enable
> it.

Sure, I would be ok with that.

> 
> That is a simple change and would go a long way to balancing security and
> newbie installability.

Sincerely,

Joshua D. Drake



> 
> Best Wishes,
> Chris Travers
> 
> 
> 
> 
> Joshua D. Drake
>>
>>> Best Wishes,
>>> Chris Travers
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Ledger-smb-devel mailing list
>>> ..hidden..
>>> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>>
>> - --
>>
>>       === The PostgreSQL Company: Command Prompt, Inc. ===
>> Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
>> PostgreSQL solutions since 1997  http://www.commandprompt.com/
>>                         UNIQUE NOT NULL
>> Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
>> PostgreSQL Replication: http://www.commandprompt.com/products/
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFHA82WATb/zqfZUUQRAiBvAKCpiKroIHYtPWn3zlm2mMDF6P0OQQCfeFhv
>> Fd1u7qN9Kw9DbR3crLUPj98=
>> =BdAb
>> -----END PGP SIGNATURE-----
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Ledger-smb-devel mailing list
>> ..hidden..
>> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>>
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
			UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHA9SYATb/zqfZUUQRAmuIAJ4yN6/et98L9tdAL9WqaaU0ZOtXQQCfXmxc
m2n6DQLitk+f2qpOiJVA56A=
=7Jip
-----END PGP SIGNATURE-----

References:
- Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: The Anarcat
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Ashley J Gittins
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: David Tangye
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Joshua D. Drake
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers

Prev by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Previous by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Index(es):
- Date
- Thread