From: Andrew N. <and...@vi...> - 2008-10-15 15:51:08
|
Jeffrey - Would you mind submitting the patch to the JIRA issue tracker? Thanks Andrew > -----Original Message----- > From: Barnett, Jeffrey [mailto:jef...@ya...] > Sent: Tuesday, October 14, 2008 3:39 PM > To: Chris Delis; vuf...@li... > Subject: Re: [VuFind-Tech] SSL & VuFind 0.8 (and beyond) > > All of Chris's comments and self-correction are valid, and essential > for an out-of-the-box vufind login, but FWIW, Yale has taken a patch > originally created by Princeton to enable login via central > authentication service (CAS+LDAP) and upgraded it to work with a near- > current trunk (r1064). If anyone is interested in this approach, and > possibly re-introducing it to the main distribution package let me > know. > > CAS uses a completely separate ssl session to challenge for user > credentials and then stores a cookie which vufind can use for LDAP > queries to complete the login without ever needing to see or locally > store the password. > > -----Original Message----- > From: Chris Delis [mailto:ce...@ui...] > Sent: Tuesday, October 14, 2008 3:18 PM > To: vuf...@li... > Subject: Re: [VuFind-Tech] SSL & VuFind 0.8 > > On Tue, Oct 14, 2008 at 12:52:37PM -0500, Chris Delis wrote: > > On Tue, Oct 14, 2008 at 11:41:01AM -0500, Chris Delis wrote: > > > On Tue, Oct 14, 2008 at 11:33:01AM -0500, Chris Delis wrote: > > > > On Tue, Oct 14, 2008 at 10:10:20AM -0400, Andrew Nagy wrote: > > > > > One step toward this is the lightbox login. I use a 2way > encryption scheme in javascript to encrypt the user's password so that > ssl is not needed since having the lightbox login would require the > entire site to be run through ssl which is not an optimal approach. I > think the same approach could be implemented in the login page and this > would reduce the need for ssl. > > > > > > > > Slightly off-topic, since I refer to the latest svn and not 0.8 > here: > > > > > > > > I looked over the latest svn (haven't implemented it yet), so > please > > > > take what I say with a pinch of salt (no pun intended, for those > who > > > > "get" the awful non-joke). In looking at the code, it appears > that > > > > rc4 is being used, which is a symmetric key algorithm; this means > that > > > > it depends on a single key for en/de-cryption. This is obviously > > > > better than nothing, but will never compete with PKI. No big > surprise > > > > > > > > > I forgot to add: > > > > > > Yes, I know that symmetric key encryption doesn't "compete" with > PKI, > > > but instead they usually work together, e.g., PKI used for key > > > exchange, then use symmetric key encryption for the payload. Sorry > > > for the wrong implication. > > > > > > --Chris > > > > > > > > > > there, since key management is probably the most difficult thing > in > > > > security (which is why PKI is so nice). That being said, I think > it > > > > would be a really good idea to allow VuFind implementors an easy > way > > > > to set this key (I believe this is currently "hardcoded" based on > the > > > > server address). I might put it in the config.ini file. Also, I > > > > would *NOT* set it to a default value in the distribution, since > this > > > > code is open source (and known to anyone wishing to look for it > ;-) > > > > Instead, I'd leave it blank and force the administrator to set > it, > > > > i.e., have the login code make sure the key is set, otherwise put > up > > > > an error page so the administrator is forced to set it. > > > > Meh. Never mind. It might not be worth it to go thru this hoop > since > > it is easy enough to query the vufind server for the salt anyway. So > > whether or not you decide to set it manually to a different value or > > stick with the default, you still be at the strength level. Still: > > Hello again, > > Wow, is my typing off today... > > Another typo: I forgot to include the word, "same," above. I meant to > say: "at the same strength level." > > > the lightbox layer is better than plain text, but not by much. > > Also, the previous line was a tad overly-pessimistic. The lightbox > layer is significantly better than plain text. My bad. > > However, let me be more constructive in my criticism :-) > > I would like to point out that it this approach would be a lot better > if the salt were randomized. Currently the salt is -- as I've > mentioned above -- static, e.g., > > http://vufind.org/demo/AJAX/Home?method=GetSalt > > (which produces the same salt value, currently based on the server's > ip address) > > If we simply randomized the function, Home::generateSalt() in > web/services/AJAX/Home.php, this would make it a lot stronger against > dictionary attacks. I would supply a patch, but I am not yet working > with the latest svn. > > Cheers, > Chris > > > > > > > > > > > > > > Chris > > > > > > > > > > > > > > Chris > > > > > > > > > > > > > > > > > > > > > > > > > > Thoughts? > > > > > > > > > > Andrew > > > > > > > > > > > -----Original Message----- > > > > > > From: Jon Gorman [mailto:jon...@gm...] > > > > > > Sent: Tuesday, October 14, 2008 9:54 AM > > > > > > To: vuf...@li... > > > > > > Subject: [VuFind-Tech] SSL & VuFind 0.8 > > > > > > > > > > > > Hi all, > > > > > > > > > > > > Just doing some fact finding. How many folks that are (or > were) using > > > > > > VuFind 0.8 and use some sort of SSL layer? Poking through > the code it > > > > > > doesn't seem straight-forward to just activate, but I'm > thinking that > > > > > > it should be feasible. I would think you just need to tweak > the > > > > > > apache config a little bit so certain pages are only > accessible as > > > > > > https. The next step would make a successful login change > the > > > > > > "default" path to https. (I suppose a better approach would > be only > > > > > > certain pages such as requesting and my account are > encrypted). Is > > > > > > this the approach taken by other folks or did you do > something > > > > > > different? > > > > > > > > > > > > Jon Gorman > > > > > > > > > > > > ------------------------------------------------------------- > ---------- > > > > > > -- > > > > > > This SF.Net email is sponsored by the Moblin Your Move > Developer's > > > > > > challenge > > > > > > Build the coolest Linux based applications with Moblin SDK & > win great > > > > > > prizes > > > > > > Grand prize is a trip for two to an Open Source event > anywhere in the > > > > > > world > > > > > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > > > > _______________________________________________ > > > > > > Vufind-tech mailing list > > > > > > Vuf...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/vufind-tech > > > > > > > > > > --------------------------------------------------------------- > ---------- > > > > > This SF.Net email is sponsored by the Moblin Your Move > Developer's challenge > > > > > Build the coolest Linux based applications with Moblin SDK & > win great prizes > > > > > Grand prize is a trip for two to an Open Source event anywhere > in the world > > > > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > > > _______________________________________________ > > > > > Vufind-tech mailing list > > > > > Vuf...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/vufind-tech > > > > > > ------------------------------------------------------------------- > ------ > > > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > > > Build the coolest Linux based applications with Moblin SDK & win > great prizes > > > Grand prize is a trip for two to an Open Source event anywhere in > the world > > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > > _______________________________________________ > > > Vufind-tech mailing list > > > Vuf...@li... > > > https://lists.sourceforge.net/lists/listinfo/vufind-tech > > > > --------------------------------------------------------------------- > ---- > > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > > Build the coolest Linux based applications with Moblin SDK & win > great prizes > > Grand prize is a trip for two to an Open Source event anywhere in the > world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > _______________________________________________ > > Vufind-tech mailing list > > Vuf...@li... > > https://lists.sourceforge.net/lists/listinfo/vufind-tech > > ----------------------------------------------------------------------- > -- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Vufind-tech mailing list > Vuf...@li... > https://lists.sourceforge.net/lists/listinfo/vufind-tech > > ----------------------------------------------------------------------- > -- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the > world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Vufind-tech mailing list > Vuf...@li... > https://lists.sourceforge.net/lists/listinfo/vufind-tech |