Re: [Server-devel] Password-less authentication with moodle

2008-10-04 Thread Andrés Ambrois 
Hola Martin!

On Saturday 04 October 2008 09:22:11 Martin Langhoff wrote:
 On Fri, Oct 3, 2008 at 7:22 PM, Andrés Ambrois [EMAIL PROTECTED] 
wrote:
   I am, together with Pablo Flores, working in preparing EduBlog for
  deployment in Ceibal (yay!). However, one of the big challenges ahead is
  deciding on the security infrastructure needed. So I've decided to
  consult the gurus at server-devel =) .

 Hola Andres!

 - What's your timeframe?

The timeframe for our project is 5 weeks starting from last Wednesday, in 
which I need to cover the interface (Moodle and Wordpress theming), course 
configuration, authentication, modifying Write to enable blog posting, and 
document all this for a manual. 

 - Are the Ceibal machines registering with the Ceibal servers in any way?

 My understanding of the current security architecture in Ceibal is almost 
non-existent, as I'm not working in LATU, and it has been a black box for 
external developers. I realize this will seriously hamper any take at the 
authentication problem, but I guess it's clear that there's little I can 
accomplish in this sense from the timeframe above. 

However, I believe there will be someone exclusively working on the security 
of the system. I will make sure to point him/her to this thread on Monday when 
we meet. 

   The other real solution that comes to mind would be TLS (SSL), maybe
  using the DSA SSH key generated in first-boot? I believe this would
  involved modifying Browse to use that file, and also gathering the XOs
  public keys manually and add them to the server, which is a logistic
  nightmare. I hope I'm wrong in this, could you advise me?

 That is one of the paths we are exploring :-) with an additional tweak
 to the 'register' action that retrieves the self-signed cert of the
 server on the XO as a trusted cert, and gives the XS the cert of the
 XO.

 This of course needs a change in the register API - (minor) code
 changes on the XO core Sugar libs and in Browse.

I'm glad I wasn't that far off :). Are these required modifications documented 
somewhere?

 cheers,



 m

-- 
  -Andrés
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel

[Server-devel] Password-less authentication with moodle

2008-10-03 Thread Andrés Ambrois 
  Hello all!

  I am, together with Pablo Flores, working in preparing EduBlog for 
deployment in Ceibal (yay!). However, one of the big challenges ahead is 
deciding on the security infrastructure needed. So I've decided to consult the 
gurus at server-devel =) .

  The problem is not in finding novel or ultra-secure algorithms, but in easily 
deployable and usable mechanisms. The MAC authentication method, described in 
earlier threads, is an easy hack, but not very secure (MACs can be spoofed, 
etc), however I wonder if an auth plugin for moodle with this scheme has been 
implemented. 

  The other real solution that comes to mind would be TLS (SSL), maybe using 
the DSA SSH key generated in first-boot? I believe this would involved 
modifying Browse to use that file, and also gathering the XOs public keys 
manually and add them to the server, which is a logistic nightmare. I hope I'm 
wrong in this, could you advise me?

  Being password-less is one of the key concepts in the XO's design. And 
rightly so, for both usability reasons, and the logistic problem of handling 
lost/compromised passwords. So we need to try and stick to it as much as 
possible. 

  Cheers!
-- 
  -Andrés
___
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel