On Fri, Jun 30, 2006 at 01:24:25PM -0700, Paul Forgey wrote: > There's a public mode? Sorry if I appear to be dense, but I can't > find anything in the help, faq, wiki or configuration about such an > option.
I don't think it's implemented at the moment... There should be one. There may be a bug for one. Have a look around on https://bugs.freenetproject.org/ . > > On Jun 30, 2006, at 1:13 PM, Matthew Toseland wrote: > > >Well you could just run it in public mode. We will have to provide > >some > >flags to disable dangerous FCP and Fproxy operations for public nodes. > > > >On Fri, Jun 30, 2006 at 01:06:42PM -0700, Paul Forgey wrote: > >>At the very least I would want the fproxy page to be able to be > >>password protected. > >> > >>I know trusted client certificates can be a nightmare. If you > >>support SSL, supporting client certificates is actually quite easy. > >>That's why I suggested just putting in the options for users who know > >>what they are doing but not really offering support beyond that. > >>Given the sensitivity of what fproxy can do, if it is run on a multi > >>user machine this is really the most secure way to support doing > >>that, even in a local network. > >> > >>On Jun 30, 2006, at 11:05 AM, Matthew Toseland wrote: > >> > >>>Allowing trusted client certificates is a very complex option (from > >>>the > >>>point of view of user friendliness)... > >>> > >>>We can provide some options for stripped down operation (e.g. no > >>>direct > >>>downloads to disk / uploads from disk, no global queue access > >>>without a > >>>password), if that is useful.. > >>> > >>>What proportion of users are affected by these issues though? > >>> > >>>On Mon, Jun 26, 2006 at 06:04:24PM -0700, Paul Forgey wrote: > >>>>While it is probably not a good idea to run freenet on a multi user > >>>>machine, it can almost be done in a manner that is as secure as the > >>>>machine itself is and the option should be there to do it. I think > >>>>participation would go up if more people could run permanently up > >>>>freenet nodes like mine without throwing an entire machine at > >>>>it. My > >>>>server machnes are, well, servers and they have user accounts which > >>>>means they could connect via localhost and do things to freenet > >>>>unless I restrict fproxy access to other hosts. > >>>> > >>>>Currently, I run freenet under it's own "freenet" user account on > >>>>it's own filesystem with all files and directories accessible > >>>>only to > >>>>the freeenet user. I have to pick a single user host on my > >>>>network I > >>>>want to access fproxy through and restrict it to that host. The > >>>>telnet interface is of course disabled. > >>>> > >>>>As an alternative to host based access, it would be very nice to > >>>>have > >>>>an option for fproxy to support https and accept connections only > >>>>from predefined client certificates, or at very least require a > >>>>password. For https support, all that would be really required > >>>>is a > >>>>directory for the administrator to put .PEM encoded root > >>>>certificates > >>>>it trusts, another directory for client certificates it allows > >>>>and a > >>>>configuration option pointing to the server certificate and private > >>>>key. Beyond that, leave it up to the administrator who knows > >>>>what s/ > >>>>he is doing to generate and manage all of this. > >>>> > >>>>The password option is even easier and I strongly think it > >>>>should be > >>>>there. > >>>> > >>> > >>> > >>> > >>>>_______________________________________________ > >>>>Tech mailing list > >>>>Tech at freenetproject.org > >>>>http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > >>> > >>>-- > >>>Matthew J Toseland - toad at amphibian.dyndns.org > >>>Freenet Project Official Codemonkey - http://freenetproject.org/ > >>>ICTHUS - Nothing is impossible. Our Boss says so. > >> > >> > > > >-- > >Matthew J Toseland - toad at amphibian.dyndns.org > >Freenet Project Official Codemonkey - http://freenetproject.org/ > >ICTHUS - Nothing is impossible. Our Boss says so. > > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060630/5c3ba501/attachment.pgp>
