On 1/11/12 5:23 AM, Patrick R McDonald wrote: > This question came up in IRC the other day. accounts.url specifies a > login service (similar to that used by Allmydata). It would send your > credentials (email address and password, if memory serves) and if these > were correct, it would return a rootcap. I need to make a ticket to > update this in the documentation. It is already in my todo list.
Yup, that's correct. Obviously "accounts.url" should point to a secure, preferably localhost-only service, to avoid making it too easy to attackers to use it to guess passwords (or, if they managed to spoof DNS and cause the tahoe gateway to talk to the wrong Account server, to reveal the username+passwords that users sent to the FTP/SFTP server). I don't have any docs offhand for this service, but the relevant code is in src/allmydata/frontends/auth.py (in the AccountURLChecker class). It looks like it builds a form with three fields: "action" = "authenticate", "email" = the username, and "passwd" = the password. Then it POSTs it to the given URL (the form is submitted as old-style multipart/form-data, so a MIME body with one field per subpart). The response is expected to either be a rootcap string (possibly with extra whitespace, which is stripped), or the string "0" (which means bad password or unknown username). It'd be great if the docs had some basic PHP code to implement the login service, or something. Maybe Peter could dig up the Allmydata code we used for this: I'm sure it just did a little database check. cheers, -Brian _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
