Re: [Server-devel] Filtering and authentication
On Mon, Apr 27, 2009 at 11:34 PM, Jerry Vonau jvo...@shaw.ca wrote: Have a look at the method used with NoCatAuth from http://nocat.net/ Might make a good starting point. Looked at it briefly, but it's not clear what's interesting in it. Is there something specific that nocat does really well? cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
On Tue, Apr 28, 2009 at 6:34 PM, Jerry Vonau jvo...@shaw.ca wrote: On Tue, 2009-04-28 at 16:34 -0400, Reuben K. Caron wrote: All of the documentation is contained within their download. It appears like a nice lightweight solution. It is basically a captive portal that requires authentication before allowing access to the internet. It takes a different approach then netreg using dynamically created iptables generated after a user logs in. Whereas netreg uses dhcp to assign one set of ip addresses to an authenticated group of users and one set of ip addresses to an unauthenticated set of users. It appears in their current implementation nocat would require an authentication every time a user connects to the system and netreg would require a single authentication event and subsequently would read the mac address from the dhcpd.conf file and grant an authenticated ip address. Regards, Reuben Thanks Reuben, The part that I like is the hook to query a DB, with a bit of work the need to login could be removed, and just look up the group membership that the mac address has in the db. Just a thought, Jerry Keep the thoughts coming! :-) Additionally, this solution would be more secure as it does a dance with iptables versus the netreg way where a user could simply assign themselves an ip in from the authenticated group and gain access to the internet. Both solutions have their merit..first one to program it into XS gets their pick.. Reuben ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
On Mon, Apr 27, 2009 at 5:03 PM, Henry Edward Hardy hhard...@gmail.com wrote: Does it allow access to The Catcher in the Rye (Use of fuck, blasphemy, drinking, smoking, lying, promiscuity, implied pederasty) Hi Henry. we are talking about 6 to 12 year olds in a wide range of cultures. Most cultures wisely protect their young until their teens, and from an anthropological/sociological PoV that makes perfect sense. Each culture has its own time where it loosens up on young adults. But it is safe to say that it is past our target window (6 to 12 or perhaps 5 to 13). And... they'll have a lifetime to read surf naughty websites, read erotic novels and discover life. At the current trend, they'll get enough viagra spam to last them a lifetime. There is _no_ need to mistreat them serving them such stuff when they are 7. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
Anna wrote: On Sun, Apr 26, 2009 at 10:51 AM, Reuben K. Caron reu...@laptop.org wrote: As far as limiting the internet connection to authorized XOs, that's an issue we're probably going to run into at some point once we broaden the XS deployment. So far at the pilot school, the staff members connect to the internet with their personal laptops and iPhones, but I haven't really heard any complaints of abuse yet. If your deployment is relatively small, it should be easy enough to add the hardware addresses of the trusted XOs to dhcpd.conf and disallow unknown machines (or play pranks on them as suggested at http://www.ex-parrot.com/~pete/upside-down-ternet.html). Anna Schoolfield Birmingham While not all encompassing you could also attempt to drop dhcp requests that do not come from 00:17:c4 using something similar to: http://ubuntuforums.org/showthread.php?p=4191756 Reuben ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
On Apr 27, 2009, at 11:18 AM, Reuben K. Caron wrote: Anna wrote: On Sun, Apr 26, 2009 at 10:51 AM, Reuben K. Caron reu...@laptop.org wrote: As far as limiting the internet connection to authorized XOs, that's an issue we're probably going to run into at some point once we broaden the XS deployment. So far at the pilot school, the staff members connect to the internet with their personal laptops and iPhones, but I haven't really heard any complaints of abuse yet. If your deployment is relatively small, it should be easy enough to add the hardware addresses of the trusted XOs to dhcpd.conf and disallow unknown machines (or play pranks on them as suggested at http://www.ex-parrot.com/~pete/upside-down-ternet.html). Anna Schoolfield Birmingham While not all encompassing you could also attempt to drop dhcp requests that do not come from 00:17:c4 using something similar to: http://ubuntuforums.org/showthread.php?p=4191756 Please do not take this approach. It sounds quick, easy, and foolproof, but will lead to problems in the future.(I almost suggested it, but decided the cons outweighted the pros.) For example, what if you get an XO-1.5 in the mix ? It won't work, and will be difficult to debug. You also disallow other laptops (teachers, etc.) from being in the network... wad ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
John Watlington wrote: On Apr 27, 2009, at 11:18 AM, Reuben K. Caron wrote: Anna wrote: On Sun, Apr 26, 2009 at 10:51 AM, Reuben K. Caron reu...@laptop.org wrote: As far as limiting the internet connection to authorized XOs, that's an issue we're probably going to run into at some point once we broaden the XS deployment. So far at the pilot school, the staff members connect to the internet with their personal laptops and iPhones, but I haven't really heard any complaints of abuse yet. If your deployment is relatively small, it should be easy enough to add the hardware addresses of the trusted XOs to dhcpd.conf and disallow unknown machines (or play pranks on them as suggested at http://www.ex-parrot.com/~pete/upside-down-ternet.html). Anna Schoolfield Birmingham While not all encompassing you could also attempt to drop dhcp requests that do not come from 00:17:c4 using something similar to: http://ubuntuforums.org/showthread.php?p=4191756 Please do not take this approach. It sounds quick, easy, and foolproof, but will lead to problems in the future.(I almost suggested it, but decided the cons outweighted the pros.) I agree it is fraught with peril; however, do we have a better solution until: Tie internet access to registration, is implemented: http://wiki.laptop.org/go/User:Martinlanghoff/XS_0.6_plan#Not_in_the_plan For example, what if you get an XO-1.5 in the mix ? I would assume XO 1.5 will have a similar unique identifier that could be added to the list. While more complex to implement, perhaps something like NetReg would be viable: http://netreg.sourceforge.net/ Regards, Reuben ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
On Mon, 2009-04-27 at 18:00 +0200, Martin Langhoff wrote: On Mon, Apr 27, 2009 at 5:54 PM, Reuben K. Caron reu...@laptop.org wrote: While more complex to implement, perhaps something like NetReg would be viable: http://netreg.sourceforge.net/ Exactly. What we've been discussing w Reuben is to whitelist MAC addresses upon registration or Moodle access. Have a look at the method used with NoCatAuth from http://nocat.net/ Might make a good starting point. Given that I am making it possible for the admin accounts in Moodle to grant Moodle access to non-XO users, that opens the controlled window to non-XO hw we want. How and when I'll be able to implement it... that's a different topic :-) Jerry ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
Martin Langhoff wrote: On Sat, Apr 25, 2009 at 11:15 PM, david da...@leeming-consulting.com wrote: maybe the connection with the public Internet can be pointed to an online proxy service so the filtering is done online That is my strong recommendation. There is little benefit in having the filtering happening locally, and lots of downsides. Search the list archive for 'dansguardian' or 'squidgard' for earlier discussions on this topic. A free and simple solution, while not bullet proof (no content filter is that I am aware), is Open DNS. They are even CIPA compliant in the US: http://www.opendns.com/solutions/k12/ ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] Filtering and authentication
Can anyone refer me to how to set up content filtering on the XS 0.5, or maybe the connection with the public Internet can be pointed to an online proxy service so the filtering is done online. This is a temporary request from the Nauru OLPC committee. They will be using a Content Keeper to filter all Education Dept Internet access at the gateway but it's not set up yet. Secondly, can we add password authentication to XOs logging on to the XS? The issue is again unauthorised access to the Internet through the XS. I will have to look at what Pia has done again. David Leeming Leeming International Consulting P.O. Box 652, Honiara, Solomon Islands Tel: (677) 76396 About me: http://wikieducator.org/User:Leeming ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] Filtering and authentication
2009/4/25 david da...@leeming-consulting.com: Can anyone refer me to how to set up content filtering on the XS 0.5, or maybe the connection with the public Internet can be pointed to an online proxy service so the filtering is done online. This is a temporary request from the Nauru OLPC committee. They will be using a Content Keeper to filter all Education Dept Internet access at the gateway but it's not set up yet. http://wiki.paraguayeduca.org/index.php/Squidguard It's in spanish but the commands should be self explanatory... Secondly, can we add password authentication to XOs logging on to the XS? The issue is again unauthorised access to the Internet through the XS. I don't have any immediate ideas and I haven't heard of any deployments doing this. I'd suggest looking at squid's capabilities to start. Daniel ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel