Re: [Server-devel] Password-less authentication with moodle
On Sat, Oct 4, 2008 at 8:50 AM, Michael Stone [EMAIL PROTECTED] wrote: P.S. - You should send your mail to [EMAIL PROTECTED] as well since there are a number of interesting folks hanging out there who don't regularly frequent [EMAIL PROTECTED] It'll be fantastic if security+development minded people get familiar enough with the XS, its goals and tradeoffs to comment intelligently on the strategies we explore to use on the XS. But I'll decline any invite to treat security as a self-standing issue, which is what security@ is about. It's just not a balanced, smart or time-efficient way to discuss it. (You'll observer that I stay away from debian-legal as well :-) ). cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Password-less authentication with moodle
On Fri, Oct 3, 2008 at 7:22 PM, Andrés Ambrois [EMAIL PROTECTED] wrote: I am, together with Pablo Flores, working in preparing EduBlog for deployment in Ceibal (yay!). However, one of the big challenges ahead is deciding on the security infrastructure needed. So I've decided to consult the gurus at server-devel =) . Hola Andres! - What's your timeframe? - Are the Ceibal machines registering with the Ceibal servers in any way? The other real solution that comes to mind would be TLS (SSL), maybe using the DSA SSH key generated in first-boot? I believe this would involved modifying Browse to use that file, and also gathering the XOs public keys manually and add them to the server, which is a logistic nightmare. I hope I'm wrong in this, could you advise me? That is one of the paths we are exploring :-) with an additional tweak to the 'register' action that retrieves the self-signed cert of the server on the XO as a trusted cert, and gives the XS the cert of the XO. This of course needs a change in the register API - (minor) code changes on the XO core Sugar libs and in Browse. cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Password-less authentication with moodle
Hola Martin! On Saturday 04 October 2008 09:22:11 Martin Langhoff wrote: On Fri, Oct 3, 2008 at 7:22 PM, Andrés Ambrois [EMAIL PROTECTED] wrote: I am, together with Pablo Flores, working in preparing EduBlog for deployment in Ceibal (yay!). However, one of the big challenges ahead is deciding on the security infrastructure needed. So I've decided to consult the gurus at server-devel =) . Hola Andres! - What's your timeframe? The timeframe for our project is 5 weeks starting from last Wednesday, in which I need to cover the interface (Moodle and Wordpress theming), course configuration, authentication, modifying Write to enable blog posting, and document all this for a manual. - Are the Ceibal machines registering with the Ceibal servers in any way? My understanding of the current security architecture in Ceibal is almost non-existent, as I'm not working in LATU, and it has been a black box for external developers. I realize this will seriously hamper any take at the authentication problem, but I guess it's clear that there's little I can accomplish in this sense from the timeframe above. However, I believe there will be someone exclusively working on the security of the system. I will make sure to point him/her to this thread on Monday when we meet. The other real solution that comes to mind would be TLS (SSL), maybe using the DSA SSH key generated in first-boot? I believe this would involved modifying Browse to use that file, and also gathering the XOs public keys manually and add them to the server, which is a logistic nightmare. I hope I'm wrong in this, could you advise me? That is one of the paths we are exploring :-) with an additional tweak to the 'register' action that retrieves the self-signed cert of the server on the XO as a trusted cert, and gives the XS the cert of the XO. This of course needs a change in the register API - (minor) code changes on the XO core Sugar libs and in Browse. I'm glad I wasn't that far off :). Are these required modifications documented somewhere? cheers, m -- -Andrés ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Password-less authentication with moodle
On Sun, Oct 5, 2008 at 5:29 AM, Andrés Ambrois [EMAIL PROTECTED] wrote: - What's your timeframe? The timeframe for our project is 5 weeks starting from last Wednesday, in which I need to cover the interface (Moodle and Wordpress theming), course configuration, authentication, modifying Write to enable blog posting, and document all this for a manual. Ouch - that's very tight! I'm glad I wasn't that far off :). Are these required modifications documented somewhere? Not yet. We're finishing off 0.5 - will be looking into this for 0.6 or 0.7, not too far away, unlikely to be done in the next 5 weeks either :-/ cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Password-less authentication with moodle
Hello all! I am, together with Pablo Flores, working in preparing EduBlog for deployment in Ceibal (yay!). However, one of the big challenges ahead is deciding on the security infrastructure needed. So I've decided to consult the gurus at server-devel =) . The problem is not in finding novel or ultra-secure algorithms, but in easily deployable and usable mechanisms. The MAC authentication method, described in earlier threads, is an easy hack, but not very secure (MACs can be spoofed, etc), however I wonder if an auth plugin for moodle with this scheme has been implemented. The other real solution that comes to mind would be TLS (SSL), maybe using the DSA SSH key generated in first-boot? I believe this would involved modifying Browse to use that file, and also gathering the XOs public keys manually and add them to the server, which is a logistic nightmare. I hope I'm wrong in this, could you advise me? Being password-less is one of the key concepts in the XO's design. And rightly so, for both usability reasons, and the logistic problem of handling lost/compromised passwords. So we need to try and stick to it as much as possible. Cheers! -- -Andrés ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel