|

»

»

Gnome - Infrastructure

Mango passwords and instructions?

View: New views

16 Messages — Rating Filter: Alert me

	Mango passwords and instructions? by Christian Rose :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 9/29/07, Olav Vitters <olav@...> wrote: > Hello all, > > There is a new way to get accounts setup asap. This using a new system > called Mango. The new system will directly mail the maintainer(s) of the > responsible module (you). With this email I'll try to explain how it > will work. > > ==> IF YOU AREN'T INTERESTED IN DETAILS, SEE END OF THE EMAIL FOR YOUR > ==> PASSWORD > > If you missed my blog post regarding Mango, please read/glance: > http://blogs.gnome.org/ovitters/2007/09/26/sneak-preview-of-mango/ > (images are cropped, sorry) > > Basically the process is as follows: > 1. User requests account > 2. User verifies email address > 3. Mango mails maintainers > 4. Maintainers reject/approve account request > ==> can need multiple maintainers if e.g. user requested e.g. Bugzilla > shell account and SVN for nautilus.. in practice, this won't happen > 5a. Mango mails Accounts Team > 5b. Mango mails user giving advice on the progress > 6. Accounts Team sets up user in LDAP > 7. User gets welcome email > > Note: steps 3-4 can be skipped as some requests will directly go to the > accounts team (e.g. @gnome.org alias) > > > What does not work: > * This is for new accounts. It will not work if the userid already > exists. This is planned for the future (so you can request an additional > group). > * You cannot change your Mango password. Sorry. See end of the email for > how to get your password. > * You cannot change your other details (SSH keys, email address). It is > planned, but can take a while before you see it. > * You cannot change who is maintainer of your modules. This is planned > for the future. > ==> If you want to dicuss Mango, please use > gnome-infrastructure@... mailing list. > > > How to approve account requests: > * You will get an email from Mango to your email address registered in > LDAP. This is (possibly) different from > http://foundation.gnome.org/membership/members.php! > * Go to https://mango.gnome.org/ and log in (see end of email for > password) > * You will get an overview of outstanding requests right after logging > in. See http://blogs.gnome.org/ovitters/files/2007/09/mango7.png > If there aren't any outstanding requests, currently it only says > something like "Welcome $NAME" (and a log out button). > * Reject/approve the request(s) and click submit > Note: Because this goes to multiple persons, you might not see the > request even if you got an email from Mango. This means another person > was faster. > ==> NOTE: The user will be informed. If you reject a person, please send > an explanation to the user. Ideally before you click submit, because > Mango will email the user right away. > ==> NOTE: If you approve/vouch a person, this means that you are > responsible for that person (in practice this is not as bad as it > sounds). > > > In case of problems: > Please either email gnome-infrastructure@..., or file a bug: > http://bugzilla.gnome.org/enter_bug.cgi?product=sysadmin&component=mango > (sysadmin product, mango component) > > > Word of warning: > * We'll be going from a few users, to 200+. There will be cases where > Mango doesn't work as intended. Apologies in advance for that. > * I haven't updated: http://live.gnome.org/NewAccounts yet > * The translation teams aren't in there yet. > > > YOUR MANGO PASSWORD > > You should already have one. The password is is the same as your Jabber > password. Or for sysadmins/accounts people: what you use to login to > Mango. Or what is in LDAP. > > > =>> YOU CANNOT CHANGE THIS PASSWORD AT THE MOMENT (sorry) > > Your username is same as your SVN username. There seems to be a bunch of "what's my Mango password?" tickets stalled in RT3. I'd like to know what I should answer the requestors. Is there a simple answer? I tried ssh -l menthos svn.gnome.org mango but it seems I'm not allowed to log into svn.gnome.org. Probably this is also the case for most people trying. Is there currently a way to retrieve one's password (I'm talking about users here; fortunately I know my own password). Furthermore, I found no instructions for Mango passwords on live.gnome.org, not even on http://live.gnome.org/Mango. The only piece of instructions ever seems to be http://blogs.gnome.org/ovitters/2007/09/26/sneak-preview-of-mango/ and http://blogs.gnome.org/ovitters/2007/09/29/mango-gone-live/ and the above mail, only findable with Google and GMail skills, and containing instructions that currently do not work... Christian _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, Jun 01, 2008 at 06:21:57PM +0200, Christian Rose wrote: > On 9/29/07, Olav Vitters <olav@...> wrote: > There seems to be a bunch of "what's my Mango password?" tickets > stalled in RT3. > I'd like to know what I should answer the requestors. Is there a simple answer? > I tried Depends if they want to retrieve their password or reset it. Resetting is very annoying. This as a) I don't want people being able to login to the main LDAP server (even if there is a command restriction) b) Even if those logins would be allowed, I wouldn't trust a suid reset command c) Socket cannot change the password anyway as it is not the main LDAP server (could be done if everything uses openldap 2.4+.. RHEL5 has 2.3) d) MAINTAINERS file crappiness Long term, I want people to use GPG instead of passwords. Then the password is only there for some services like e.g. Jabber. I don't know much about LDAP (finally understand it somewhat since the last few days!) If people would need a password reset, they'd login to Mango using GPG, then click the 'new password' button. This would give them a new password. It is stalled due to lack of resources (would appreciate more help with building new infrastructure). Note: The reason I haven't implemented GPG yet is only due to not getting to it (it is difficult). I'm not going to ask for consensus. It will be implemented. I don't mind if people don't want it, it will be their problem if they want to give a new developer an SVN account, etc. Btw, to reset someones password so below command works again, follow the instructions in http://svn.gnome.org/viewvc/sysadmin-bin/trunk/handle-ldap-modules?view=markup Basically, use two gnome-terminal tabs, then in each: ssh -L 1389:localhost:389 label ssh -R 1389:localhost:1389 socket This allows socket to have a connection to the main LDAP server. Then do something as root like: /home/admin/bin/handle-ldap-modules reset-passwd $UID1 $UID2 $UID3 The SSH encapsulation ensures security (nobody will be able to read the password by sniffing emails). > ssh -l menthos svn.gnome.org mango > > but it seems I'm not allowed to log into svn.gnome.org. Probably this It is a one time password, as explained in the email everyone received. Often people do find the email if I provide subject and date (which I always have to lookup first). > is also the case for most people trying. Is there currently a way to > retrieve one's password (I'm talking about users here; fortunately I > know my own password). Using the command above. You're are sysadmin, so it won't work for you as you'll get a shell instead. See http://svn.gnome.org/viewvc/sysadmin-bin/trunk/run-svn-or-special-cmd?view=markup for the ugly details. It should probably be added to the email that a maintainer/coordinator gets. Feel free to add such info (it is not the only usability problem with the accounts stuff). Note: I really dislike the current setup with MAINTAINERS files. Much rather use some easier parsable format like DOAP. This is why I don't do much with it, plus didn't develop Mango for ~5 months. It will always be a mess and require a sysadmin to sync stuff manually, then committing the 10 fixes in various MAINTAINERS files. > Furthermore, I found no instructions for Mango passwords on > live.gnome.org, not even on http://live.gnome.org/Mango. The only > piece of instructions ever seems to be > http://blogs.gnome.org/ovitters/2007/09/26/sneak-preview-of-mango/ and > http://blogs.gnome.org/ovitters/2007/09/29/mango-gone-live/ and the > above mail, only findable with Google and GMail skills, and containing > instructions that currently do not work... It does work, for one time only. The lack of instructions is on purpose. I can explain this via private email if needed. Note: I might provide some ugly other method using Mango. This would require python-paramiko on the users side. Unfortunately Mango is written in PHP, which makes it difficult to combine (I don't want to start another process). -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: Mango passwords and instructions? by Germán Póo-Caamaño-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 2008-06-01 at 19:33 +0200, Olav Vitters wrote: > On Sun, Jun 01, 2008 at 06:21:57PM +0200, Christian Rose wrote: > > On 9/29/07, Olav Vitters <olav@...> wrote: > > There seems to be a bunch of "what's my Mango password?" tickets > > stalled in RT3. > > I'd like to know what I should answer the requestors. Is there a simple answer? > > I tried > > Depends if they want to retrieve their password or reset it. Resetting > is very annoying. This as > a) I don't want people being able to login to the main LDAP server (even > if there is a command restriction) > b) Even if those logins would be allowed, I wouldn't trust a suid reset > command > c) Socket cannot change the password anyway as it is not the main LDAP > server (could be done if everything uses openldap 2.4+.. RHEL5 has 2.3) > d) MAINTAINERS file crappiness > > Long term, I want people to use GPG instead of passwords. Then the > password is only there for some services like e.g. Jabber. I don't know > much about LDAP (finally understand it somewhat since the last few > days!) > If people would need a password reset, they'd login to Mango using GPG, > then click the 'new password' button. This would give them a new > password. It is stalled due to lack of resources (would appreciate more > help with building new infrastructure). > > Note: The reason I haven't implemented GPG yet is only due to not > getting to it (it is difficult). I'm not going to ask for consensus. It > will be implemented. I don't mind if people don't want it, it will be > their problem if they want to give a new developer an SVN account, etc. If GPG is the way to go, shouldn't be the GUADEC a good opportunity to have a GPG Key Signing Party[1]? A GPG key without any other sign who trust it doesn't have enough value. [1] http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html -- Germán Póo-Caamaño Concepción - Chile http://www.gnome.org/~gpoo/ _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure signature.asc (196 bytes) Download Attachment
	Re: Mango passwords and instructions? by Baris Cicek :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi; If someone can lead the organization of such a thing, we can add it to Events page as well. Regards, Baris On Mon, 2008-06-09 at 10:10 -0400, Germán Póo-Caamaño wrote: > On Sun, 2008-06-01 at 19:33 +0200, Olav Vitters wrote: > > On Sun, Jun 01, 2008 at 06:21:57PM +0200, Christian Rose wrote: > > > On 9/29/07, Olav Vitters <olav@...> wrote: > > > There seems to be a bunch of "what's my Mango password?" tickets > > > stalled in RT3. > > > I'd like to know what I should answer the requestors. Is there a simple answer? > > > I tried > > > > Depends if they want to retrieve their password or reset it. Resetting > > is very annoying. This as > > a) I don't want people being able to login to the main LDAP server (even > > if there is a command restriction) > > b) Even if those logins would be allowed, I wouldn't trust a suid reset > > command > > c) Socket cannot change the password anyway as it is not the main LDAP > > server (could be done if everything uses openldap 2.4+.. RHEL5 has 2.3) > > d) MAINTAINERS file crappiness > > > > Long term, I want people to use GPG instead of passwords. Then the > > password is only there for some services like e.g. Jabber. I don't know > > much about LDAP (finally understand it somewhat since the last few > > days!) > > If people would need a password reset, they'd login to Mango using GPG, > > then click the 'new password' button. This would give them a new > > password. It is stalled due to lack of resources (would appreciate more > > help with building new infrastructure). > > > > Note: The reason I haven't implemented GPG yet is only due to not > > getting to it (it is difficult). I'm not going to ask for consensus. It > > will be implemented. I don't mind if people don't want it, it will be > > their problem if they want to give a new developer an SVN account, etc. > > If GPG is the way to go, shouldn't be the GUADEC a good opportunity to > have a GPG Key Signing Party[1]? > > A GPG key without any other sign who trust it doesn't have enough value. > > [1] > http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html > > _______________________________________________ > Gnome-infrastructure mailing list > Gnome-infrastructure@... > http://mail.gnome.org/mailman/listinfo/gnome-infrastructure _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: Mango passwords and instructions? by Germán Póo-Caamaño-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, 2008-06-09 at 21:29 +0300, Baris Cicek wrote: > Hi; > > If someone can lead the organization of such a thing, we can add it to > Events page as well. If still there is time, I can take care of this. Also, I would like to have some feedback from Olav and/or Christian. Regards, > On Mon, 2008-06-09 at 10:10 -0400, Germán Póo-Caamaño wrote: > > On Sun, 2008-06-01 at 19:33 +0200, Olav Vitters wrote: > > > On Sun, Jun 01, 2008 at 06:21:57PM +0200, Christian Rose wrote: > > > > On 9/29/07, Olav Vitters <olav@...> wrote: > > > > There seems to be a bunch of "what's my Mango password?" tickets > > > > stalled in RT3. > > > > I'd like to know what I should answer the requestors. Is there a simple answer? > > > > I tried > > > > > > Depends if they want to retrieve their password or reset it. Resetting > > > is very annoying. This as > > > a) I don't want people being able to login to the main LDAP server (even > > > if there is a command restriction) > > > b) Even if those logins would be allowed, I wouldn't trust a suid reset > > > command > > > c) Socket cannot change the password anyway as it is not the main LDAP > > > server (could be done if everything uses openldap 2.4+.. RHEL5 has 2.3) > > > d) MAINTAINERS file crappiness > > > > > > Long term, I want people to use GPG instead of passwords. Then the > > > password is only there for some services like e.g. Jabber. I don't know > > > much about LDAP (finally understand it somewhat since the last few > > > days!) > > > If people would need a password reset, they'd login to Mango using GPG, > > > then click the 'new password' button. This would give them a new > > > password. It is stalled due to lack of resources (would appreciate more > > > help with building new infrastructure). > > > > > > Note: The reason I haven't implemented GPG yet is only due to not > > > getting to it (it is difficult). I'm not going to ask for consensus. It > > > will be implemented. I don't mind if people don't want it, it will be > > > their problem if they want to give a new developer an SVN account, etc. > > > > If GPG is the way to go, shouldn't be the GUADEC a good opportunity to > > have a GPG Key Signing Party[1]? > > > > A GPG key without any other sign who trust it doesn't have enough value. > > > > [1] > > http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html > > > > _______________________________________________ > > Gnome-infrastructure mailing list > > Gnome-infrastructure@... > > http://mail.gnome.org/mailman/listinfo/gnome-infrastructure > > -- Germán Póo-Caamaño Concepción - Chile http://www.calcifer.org/ _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure signature.asc (196 bytes) Download Attachment
	Re: Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, Jun 25, 2008 at 09:24:47PM -0400, Germán Poó-Caamaño wrote: > On Mon, 2008-06-09 at 21:29 +0300, Baris Cicek wrote: > > Hi; > > > > If someone can lead the organization of such a thing, we can add it to > > Events page as well. > > If still there is time, I can take care of this. Also, I would like to > have some feedback from Olav and/or Christian. With the rewrite of Mango into Python, I can rely on the SSH keys for authentication. This will however require people wanting to login to Mango to run a custom script (to extract the RSA bits of out the private key to enable the authentication). I hope to do this hack first via a script and later on have it integrated into seahorse (haven't talked at all to the devs yet). So GPG isn't that needed atm (SSH keys will be far easier to handle from my standpoint.. we already trust these things anyway). Not sure what people thing or using SSH keys for logging in to a website. Perhaps it is considered totally crazy... ATM I first have to finish the rewrite anyway (progressing nicely, but still a lot of things to finish). -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: Mango passwords and instructions? by Behdad Esfahbod-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 2008-06-26 at 09:09 +0200, Olav Vitters wrote: > > With the rewrite of Mango into Python, I can rely on the SSH keys for > authentication. This will however require people wanting to login to > Mango to run a custom script (to extract the RSA bits of out the > private key to enable the authentication). Interesting. How does it work? -- behdad http://behdad.org/ "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin, 1759 _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Jun 26, 2008 at 10:39:20AM -0400, Behdad Esfahbod wrote: > On Thu, 2008-06-26 at 09:09 +0200, Olav Vitters wrote: > > > > With the rewrite of Mango into Python, I can rely on the SSH keys for > > authentication. This will however require people wanting to login to > > Mango to run a custom script (to extract the RSA bits of out the > > private key to enable the authentication). > > Interesting. How does it work? The easiest way is to use the Paramiko stuff.. although I am not sure what I'll do. E.g. http://www.lag.net/paramiko/docs/paramiko.PKey-class.html see can_sign (needs private key), sign_ssh_data (private key), verify_ssh_sig. I'd imagine something like: * Website shows base64 encoded random bytes * User uses script to sign the random bytes (script decodes the base64 stuff, signs it, then base64 encodes the result) * User enters username and the base64'd signature * Mango verifies that: random bytes matches with was what given user has a public key which passes the 'verify_ssh_sig' check Only annoying part is the script for the user. It should be simple enough so that people trust the working. But at the same time, some GUI is likely needed (?).. but that would make it complicated. Note that fetching private keys from the ssh agent is trivial. -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Behdad Esfahbod-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 2008-06-26 at 19:42 +0200, Olav Vitters wrote: > > Only annoying part is the script for the user. It should be simple > enough so that people trust the working. But at the same time, some > GUI is likely needed (?).. but that would make it complicated. > Note that fetching private keys from the ssh agent is trivial. How about something like showing people a page saying: "Please run the following command and follow instructions given there: echo "blah blah blah some rand word" \| ssh auth.gnome.org The auth.gnome.org then gives them a password they can use to login withing the next 10 minutes. -- behdad http://behdad.org/ "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin, 1759 _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Vincent Untz :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Le vendredi 27 juin 2008, à 09:20 -0400, Behdad Esfahbod a écrit : > On Thu, 2008-06-26 at 19:42 +0200, Olav Vitters wrote: > > > > Only annoying part is the script for the user. It should be simple > > enough so that people trust the working. But at the same time, some > > GUI is likely needed (?).. but that would make it complicated. > > Note that fetching private keys from the ssh agent is trivial. > > How about something like showing people a page saying: > > "Please run the following command and follow instructions given there: > > echo "blah blah blah some rand word" \| ssh auth.gnome.org > > The auth.gnome.org then gives them a password they can use to login > withing the next 10 minutes. I suggest a "GNOME contributor" epiphany plugin to do all this :-) Vincent -- Les gens heureux ne sont pas pressés. _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 27, 2008 at 09:20:05AM -0400, Behdad Esfahbod wrote: > On Thu, 2008-06-26 at 19:42 +0200, Olav Vitters wrote: > > > > Only annoying part is the script for the user. It should be simple > > enough so that people trust the working. But at the same time, some > > GUI is likely needed (?).. but that would make it complicated. > > Note that fetching private keys from the ssh agent is trivial. > > How about something like showing people a page saying: > > "Please run the following command and follow instructions given there: > > echo "blah blah blah some rand word" \| ssh auth.gnome.org > > The auth.gnome.org then gives them a password they can use to login > withing the next 10 minutes. Actually not sure how to implement something like that. Users should not be able to retrieve any private Mango information. So they should not just be able to run a script under their userid and get access to private Mango info. At the same time, I don't know how to handle suid stuff combined with Python... is that trustable? Can I 100% rely on finding out the original userid? Plus I'd need to store it in the database in a way that if the database is compromised, that they cannot abuse it to get Mango privs... probably hashing some secret token I guess. I've tried the paramiko method, and it seems to work (not in Mango.. just hacked up test locally). I'll do something like that for now... it is pretty easy to replace the login method in Mango. -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Behdad Esfahbod-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 2008-06-27 at 16:02 +0200, Olav Vitters wrote: > On Fri, Jun 27, 2008 at 09:20:05AM -0400, Behdad Esfahbod wrote: > > On Thu, 2008-06-26 at 19:42 +0200, Olav Vitters wrote: > > > > > > Only annoying part is the script for the user. It should be simple > > > enough so that people trust the working. But at the same time, some > > > GUI is likely needed (?).. but that would make it complicated. > > > Note that fetching private keys from the ssh agent is trivial. > > > > How about something like showing people a page saying: > > > > "Please run the following command and follow instructions given there: > > > > echo "blah blah blah some rand word" \| ssh auth.gnome.org > > > > The auth.gnome.org then gives them a password they can use to login > > withing the next 10 minutes. > > Actually not sure how to implement something like that. Users should not > be able to retrieve any private Mango information. So they should not > just be able to run a script under their userid and get access to > private Mango info. How about that simply write a dotfile in user's home dir. Mango then reads that file, confirms that it's only readable by user. Checks that it's modification time is recent, and accepts the contents as password. This is weaker than your approach as anyone compromising any GNOME machines will get access to everyone's Mango account. However, both approaches suffer from the fact that a compromised SSH key gives access to user's Mango. Combine that with the fact that one of two major Mango requests is changing a lost key (the other being changing email address), I'm not sure using SSH keys for authentication is a good idea. > At the same time, I don't know how to handle suid > stuff combined with Python... is that trustable? Can I 100% rely on > finding out the original userid? Plus I'd need to store it in the > database in a way that if the database is compromised, that they cannot > abuse it to get Mango privs... probably hashing some secret token I > guess. > > I've tried the paramiko method, and it seems to work (not in Mango.. > just hacked up test locally). I'll do something like that for now... it > is pretty easy to replace the login method in Mango. How about (optional) OpenID? -- behdad http://behdad.org/ "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin, 1759 _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 27, 2008 at 10:16:35AM -0400, Behdad Esfahbod wrote: > How about that simply write a dotfile in user's home dir. Mango then > reads that file, confirms that it's only readable by user. Checks that > it's modification time is recent, and accepts the contents as password. Hm.. maybe directory like /tmp. Not readable except for Mango group and the userid writing to it. (+s IIRC). That would actually pretty much work.. except it would make testing Mango locally harder ;) > This is weaker than your approach as anyone compromising any GNOME > machines will get access to everyone's Mango account. However, both > approaches suffer from the fact that a compromised SSH key gives access > to user's Mango. Yeah, but compromised SSH key is acceptable that the Mango is compromised as well. > Combine that with the fact that one of two major Mango requests is > changing a lost key (the other being changing email address), I'm not > sure using SSH keys for authentication is a good idea. ATM yes, as Mango doesn't really do anything. But I plan to make it way more important for maintainers. > > At the same time, I don't know how to handle suid > > stuff combined with Python... is that trustable? Can I 100% rely on > > finding out the original userid? Plus I'd need to store it in the > > database in a way that if the database is compromised, that they cannot > > abuse it to get Mango privs... probably hashing some secret token I > > guess. > > > > I've tried the paramiko method, and it seems to work (not in Mango.. > > just hacked up test locally). I'll do something like that for now... it > > is pretty easy to replace the login method in Mango. > > How about (optional) OpenID? There is no OpenID stored in Mango, so that is a no as primary method. And IIRC OpenID stuff usually just has password as authentication (too weak). -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by klondike-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm not sure where I did read some sort of flame? between gpg and ssh keys. Anyway, I'd like to comment about gpgkey2ssh which may help with the problem :) _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 27, 2008 at 05:15:00PM +0200, klondike wrote: > I'm not sure where I did read some sort of flame? between gpg and ssh keys. We simply don't have any GPG infrastructure. > Anyway, I'd like to comment about gpgkey2ssh which may help with the problem :) I'll check it out. -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
	Re: [guadec-list] Mango passwords and instructions? by Olav Vitters :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 27, 2008 at 05:19:02PM +0200, Olav Vitters wrote: > On Fri, Jun 27, 2008 at 05:15:00PM +0200, klondike wrote: > > I'm not sure where I did read some sort of flame? between gpg and ssh keys. > > We simply don't have any GPG infrastructure. > > > Anyway, I'd like to comment about gpgkey2ssh which may help with the problem :) > > I'll check it out. Ehr: 1. No documentation 2. There is no GPG infrastructure. You're proposing something which seems to generate SSH keys. We have and trust them already. I don't know how to setup a good distributed and trusted GPG infrastructure. Well, LDAP.. but GPG wants keyrings and stuff.. I just want to compare some signature with a key I know is good (as it is from LDAP). -- Regards, Olav _______________________________________________ Gnome-infrastructure mailing list Gnome-infrastructure@... http://mail.gnome.org/mailman/listinfo/gnome-infrastructure