Re: Interfaz administrativa, login con SSH

[Vijay Khemlani]

La máxima seguridad (razonable) sería conectarse a una VPN y que el admin
de Django solo acepte logins desde dentro de la VPN, pero para el 99% de
los casos suena innecesario.

Para abrir un navegador dentro del servidor mismo tendrías que tener
instalado todo ambiente de escritorio en el servidor (XFCE, GNome, KDE,
algo, asumiendo un Linux), conectarte por SSH con soporte para X Server y
mandar todos los comandos via red a ese navegador, lo que es extremadamente
engorroso.

La autenticación por dos pasos es lo que usa Google, Steam, y muchos otros
servicios de alta seguridad.



On Mon, Jun 11, 2018 at 7:06 PM Frank Mascarell <
frank_mascar...@gandiweb.com> wrote:

> Gracias por vuestras recomendaciones de seguridad, muy interesantes.
> Después de recapacitar con todo esto, me planteo lo siguiente; si estamos
> desarrollando una tienda online,
> donde la base de datos se encuentra en un host remoto, y los
> administradores de la tienda deben
> entrar en ella diariamente, con todos los permisos (CRUD), ¿ la máxima
> seguridad que se puede
> implementar para la interfaz administrativa es mediante la autenticación
> de dos pasos ?
> ¿ No hay otra forma de hacerlo ? Por ejemplo, podría crear un programa en
> Python, utilizando
> la librería Paramiko para conectarme via SSH, y después ejecutar el
> comando que puede llamar
> al mismo tiempo a otro programa personalizado en el servidor, que abriría
> una ventana de navegador
> con la interfaz administrativa, si la autenticación es correcta.
> ¿alguna idea mejor?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/ad384adf-4b44-4e3b-9beb-daff67458ca6%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CALn3ei187SBNfz06ZGYUuhgMcpzNtJ%3DHWABibVN%3DBxdxODSyfA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Interfaz administrativa, login con SSH

[Frank Mascarell]

Gracias por vuestras recomendaciones de seguridad, muy interesantes.
Después de recapacitar con todo esto, me planteo lo siguiente; si estamos 
desarrollando una tienda online,
donde la base de datos se encuentra en un host remoto, y los 
administradores de la tienda deben
entrar en ella diariamente, con todos los permisos (CRUD), ¿ la máxima 
seguridad que se puede
implementar para la interfaz administrativa es mediante la autenticación de 
dos pasos ?
¿ No hay otra forma de hacerlo ? Por ejemplo, podría crear un programa en 
Python, utilizando
la librería Paramiko para conectarme via SSH, y después ejecutar el comando 
que puede llamar
al mismo tiempo a otro programa personalizado en el servidor, que abriría 
una ventana de navegador
con la interfaz administrativa, si la autenticación es correcta.
¿alguna idea mejor? 

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/ad384adf-4b44-4e3b-9beb-daff67458ca6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Interfaz administrativa, login con SSH

[Vijay Khemlani]

"Vijay, thanks for the help, but the authentication of two factors seems
quite uncomfortable, considering that an administrator can enter every day,
several times a day, having to depend on a mobile device for each login.
"

Session cookies last for 2 weeks by default in Django, regardless of the
login method

On Sun, Jun 10, 2018 at 11:31 PM carlos  wrote:

> Hola, tambien te recomiendo que leas esto
> Hi, i also recommend you read this
>
> https://hackernoon.com/5-ways-to-make-django-admin-safer-eb7753698ac8
>
>
> On Sun, Jun 10, 2018 at 8:02 PM Frank Mascarell <
> frank_mascar...@gandiweb.com> wrote:
>
>> Vijay, thanks for the help, but the authentication of two factors seems
>> quite uncomfortable, considering that an administrator can enter every day,
>> several times a day, having to depend on a mobile device for each login.
>>
>> I have to rethink the problem, perhaps by directly accessing postgres,
>> through
>> SSH with a GUI for the client-user that includes a CRUD interface,
>> although I do not have
>> knowledge of the software available for this. I have to investigate what
>> other ways I can
>> identify myself to a postgress database with SSH.
>>
>> Greetings.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/05cc0a47-79e8-4088-b54f-15d9d098c514%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> att.
> Carlos Rocha
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/CAM-7rO0B1Qk%3DO6o8kwFv1UdxGFMxYg-eKbOb5VAwkj6XHfWvGQ%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CALn3ei2WkhJ%3DhvuZ0Z3GnepUqk4X9wpBbzL_40OHQ1mH%2BzQLmA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Interfaz administrativa, login con SSH

[carlos]

Hola, tambien te recomiendo que leas esto
Hi, i also recommend you read this

https://hackernoon.com/5-ways-to-make-django-admin-safer-eb7753698ac8


On Sun, Jun 10, 2018 at 8:02 PM Frank Mascarell <
frank_mascar...@gandiweb.com> wrote:

> Vijay, thanks for the help, but the authentication of two factors seems
> quite uncomfortable, considering that an administrator can enter every day,
> several times a day, having to depend on a mobile device for each login.
>
> I have to rethink the problem, perhaps by directly accessing postgres,
> through
> SSH with a GUI for the client-user that includes a CRUD interface,
> although I do not have
> knowledge of the software available for this. I have to investigate what
> other ways I can
> identify myself to a postgress database with SSH.
>
> Greetings.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/05cc0a47-79e8-4088-b54f-15d9d098c514%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
att.
Carlos Rocha

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAM-7rO0B1Qk%3DO6o8kwFv1UdxGFMxYg-eKbOb5VAwkj6XHfWvGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Interfaz administrativa, login con SSH

[Frank Mascarell]

Vijay, thanks for the help, but the authentication of two factors seems 
quite uncomfortable, considering that an administrator can enter every day, 
several times a day, having to depend on a mobile device for each login.

I have to rethink the problem, perhaps by directly accessing postgres, 
through
SSH with a GUI for the client-user that includes a CRUD interface, although 
I do not have
knowledge of the software available for this. I have to investigate what 
other ways I can
identify myself to a postgress database with SSH.

Greetings.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/05cc0a47-79e8-4088-b54f-15d9d098c514%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Interfaz administrativa, login con SSH

[Vijay Khemlani]

En general SSH sirve para hacer conexiones remotas por terminal (bueno,
puedes hacer una sesión X a través de SSH pero no creo que sea lo que
necesites)

La forma más común de aumentar la seguridad del login es por two factor
authorization, básicamente mandar una validación a tu celular o algun otro
dispositivo que valide que seas tú el que está iniciando sesión.

Personalmente nunca lo he hecho, pero hay paquetes de Django que lo
implementan

http://django-two-factor-auth.readthedocs.io/en/stable/

Aunque requieren cierto nivel de configuración

El proyecto que linkeas no parece servir para hacer login con llaves SSH,
solo las almacena

Saludos

On Sun, Jun 10, 2018 at 8:49 PM Frank Mascarell <
frank_mascar...@gandiweb.com> wrote:

> Hi, sorry for the mistakes, I'm using google-translator :)
>
> I hired a VPS on Digital Ocean, installed Django-Postgres and everything
> works
>
> correctly. Now I want to increase the security of Django's administrative
> interface,
> I want site administrators to login using SSH, eliminating authentication
> by password. It would be something similar to when I connect to the server
> with PuTTY via SSH.
>
> There is little documentation of SSH-Django, but I found an interesting
> package called
> simplesshkey , which can
> relate SSH keys to a user, saving them in the database
> of Django. I do not know if with this package I can achieve my goal, but I
> do not think so.
>
> Is there any way to do this?
> Can I reconsider another way of connecting as an administrator to the
> database, less
>
> safe ? I would not like to have a remote open port in postgres, I would
> prefer it to be
>
> Managed through Django.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/9b1bb164-73af-4c92-9ed9-d7371c6bfa92%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CALn3ei0C20rLDPyKJXWNCksFS_-uoov_AyQJrdTGQ95ABF3sJg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.