Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 10:22 -0800, Ryan Roth wrote: > If the WWW_USERS string has $ in it webtypes reads it as None, if I > remove the $ it reads fine Let's move this over to freevo-devel -- we should have done that ages ago. :) Anyway, I'm not sure what you mean here. Can you elaborate? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
If the WWW_USERS string has $ in it webtypes reads it as None, if I
remove the $ it reads fine
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 13:15 -0500, Jason Tackaberry wrote:
>
>> On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
>>
>>> while len(salt) < 8:
>>> char = os.urandom(1)
>>> if re.match('[a-zA-Z0-9]', char) > -1:
>>> salt = salt + char
>>>
>> This is fine. A bit hungrier than the code I suggested, but then it
>> doesn't need to be fast. I'd get rid of "> -1"
>>
>
> Wait, you missed '/.' Change your re.match line to:
>
>if re.match(r'[a-zA-Z0-9/.]', char):
>
>
>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
>
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 13:15 -0500, Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
> > while len(salt) < 8:
> > char = os.urandom(1)
> > if re.match('[a-zA-Z0-9]', char) > -1:
> > salt = salt + char
>
> This is fine. A bit hungrier than the code I suggested, but then it
> doesn't need to be fast. I'd get rid of "> -1"
Wait, you missed '/.' Change your re.match line to:
if re.match(r'[a-zA-Z0-9/.]', char):
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 10:01 -0800, Ryan Roth wrote:
> while len(salt) < 8:
> char = os.urandom(1)
> if re.match('[a-zA-Z0-9]', char) > -1:
> salt = salt + char
This is fine. A bit hungrier than the code I suggested, but then it
doesn't need to be fast. I'd get rid of "> -1"
Cheers,
Jason.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Yeah I got it, thanks:
while len(salt) < 8:
char = os.urandom(1)
if re.match('[a-zA-Z0-9]', char) > -1:
salt = salt + char
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 09:23 -0800, Ryan Roth wrote:
> How do I get urandom to only do valid chars?
You could read in 8 characters, and then coerce them to the range needed
with modulo reduction. Something like:
import string
chars = string.letters + string.digits + '/.'
salt = [ chars[ord(x) % len(chars)] for x in
file('/dev/urandom').read(8) ]
salt = "".join(salt)
>From an anal-retentive cryptographic perspective, this would produce a
statistical bias toward the first character ('a') if the length of chars
isn't a power of 2. It strikes me as not a coincidence though that, per
spec, the allowed salt chars is 64, exactly a power of 2.
If it weren't, the proper (again, paranoid) approach would be to zero
the unneeded MSB bits in each /dev/urandom char to put the value to the
closest power of 2, and then discard the character if it's not less than
len(chars).
But even if the length of chars wasn't a power of 2, I'd probably tell
you not to worry about it. :)
Cheers,
Jason.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Ryan Roth wrote: > How do I get urandom to only do valid chars? with a loop.. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
This is the part I'm stuck on: So the password helper will: 1. Prompt for username and password 2. generate a salt of 8 random bytes (from the set [a–zA–Z0–9./]) gotten from /dev/urandom 3. Output username and crypt.crypt(password, "$1$%s$" % salt) How do I get urandom to only do valid chars? - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 08:56 -0800, Ryan Roth wrote:
> I will redo it with crypt then. BTW it does work. It takes the stored
> password hash, then it hashes the supplied password and compares them.
The patch as submitted wouldn't work (because it had the crypt line that
shouldn't have been there, as you said). No problem, we all submit
patches with accidental cruft left behind. :)
> 'saltedflavor')", was not supposed to be in there, sorry. I would like
> to use the username for the salt that way I can truncate it off the
> stored hash, but this is your call.
I'm going to rule with an iron fist on this one. :) If we're going to
do it at all, let's do it right. I don't fully understand the security
characteristics of using the salt as the username, but then neither do
you. But intuitively it is less secure than using a random salt.
Cryptography is hard enough, but it's also largely a solved problem. We
have existing models to follow (in this case the standard unix passwd
model), and deviating from a model that's was devised and reviewed by
security experts, been in use for years, and has well understood
security properties, seems to me to be a bad idea.
I feel compelled to quote Peter Gutmann:
"Whenever someone thinks that they can replace SSL/SSH with
something much better that they designed this morning over
coffee, their computer speakers should generate some sort of
penis-shaped sound wave and plunge it repeatedly into their
skulls until they achieve enlightenment."
So the password helper will:
1. Prompt for username and password
2. generate a salt of 8 random bytes (from the set [a–zA–Z0–9./])
gotten from /dev/urandom
3. Output username and crypt.crypt(password, "$1$%s$" % salt)
And the webserver will:
1. Read username and password from remote end
2. grab cryptpass from config file for given username
3. Parse $1$.{8}$ from cryptpass as salt.
4. Compare cryptpasss with crypt.crypt(pasword, "$1$%s%$" % salt)
Hopefully you're not too exasperated. I'm just stubborn. :)
Thanks,
Jason.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
I will redo it with crypt then. BTW it does work. It takes the stored password hash, then it hashes the supplied password and compares them. If the hashes are the same you have the same password. When I used the username for salt you could only get a direct match when both the stored username and password matched the supplied username and password. This is running on my system right now. Also the crypt line, "password = crypt(password, '$1$'+ 'saltedflavor')", was not supposed to be in there, sorry. I would like to use the username for the salt that way I can truncate it off the stored hash, but this is your call. Jason Tackaberry wrote: > On Mon, 2007-01-01 at 08:36 -0800, Ryan Roth wrote: > >> Here is a more polite way of sending the patch, sorry >> > > No problem. However the patch does need some work: > > >> +password = crypt(password, '$1$'+ 'saltedflavor') >> > > You're using a fixed salt, which rather defeats the purpose of a salt. > You should derive the salt from /dev/urandom. (man crypt for details on > the legal values for salt.) > > >> +password = md5.new(password) >> > > This is unnecessary, and in fact if you use a random salt, cannot be > done at all. The value returned by crypt() is suitable for writing out > directly to the file. > > > >> print 'auth_user(self, username=\"%s\", password=\"%s\")' % >> (username, '**') >> realpass = config.WWW_USERS.get(username) >> -if not realpass: >> -md5user = md5.new(username + password) >> -realpass = >> config.WWW_USERS.get(base64.b32encode(md5user.digest())) >> -md5pass = md5.new(password + username) >> -password = base64.b32encode(md5pass.digest()) >> +md5pass = md5.new(password) >> if realpass == password: >> return True >> +elif realpass == b16encode(md5pass.digest()): >> +return True >> > > Hmm, did you test this? > > I can't figure out how this is supposed to work. Am I right in assuming > that the user supplied password is the variable password, and realpass > is what's written to the config file (as generated by the passwd > helper)? (realpass variable name ought to be changed to cryptpass.) In > this case the password helper stored the md5 hash of the crypted version > of the password, and this is compared to the md5 of the literal > password. Unless I'm missing something there's no way this can work. > > In any case the right approach is to get rid of all the md5 stuff, > generate a random salt from /dev/urandom in the password helper and > write out the output generated by crypt(). Then in web_types.py, parse > the salt from realpass, feed that into crypt() along with password, and > compare the return value with realpass. > > Thanks, > Jason. > > > - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ___ > Freevo-users mailing list > Freevo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freevo-users > > - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 08:36 -0800, Ryan Roth wrote: > Here is a more polite way of sending the patch, sorry No problem. However the patch does need some work: > +password = crypt(password, '$1$'+ 'saltedflavor') You're using a fixed salt, which rather defeats the purpose of a salt. You should derive the salt from /dev/urandom. (man crypt for details on the legal values for salt.) > +password = md5.new(password) This is unnecessary, and in fact if you use a random salt, cannot be done at all. The value returned by crypt() is suitable for writing out directly to the file. > print 'auth_user(self, username=\"%s\", password=\"%s\")' % > (username, '**') > realpass = config.WWW_USERS.get(username) > -if not realpass: > -md5user = md5.new(username + password) > -realpass = > config.WWW_USERS.get(base64.b32encode(md5user.digest())) > -md5pass = md5.new(password + username) > -password = base64.b32encode(md5pass.digest()) > +md5pass = md5.new(password) > if realpass == password: > return True > +elif realpass == b16encode(md5pass.digest()): > +return True Hmm, did you test this? I can't figure out how this is supposed to work. Am I right in assuming that the user supplied password is the variable password, and realpass is what's written to the config file (as generated by the passwd helper)? (realpass variable name ought to be changed to cryptpass.) In this case the password helper stored the md5 hash of the crypted version of the password, and this is compared to the md5 of the literal password. Unless I'm missing something there's no way this can work. In any case the right approach is to get rid of all the md5 stuff, generate a random salt from /dev/urandom in the password helper and write out the output generated by crypt(). Then in web_types.py, parse the salt from realpass, feed that into crypt() along with password, and compare the return value with realpass. Thanks, Jason. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Here is a more polite way of sending the patch, sorry
Index: src/helpers/passwd.py
===
--- src/helpers/passwd.py (revision 8885)
+++ src/helpers/passwd.py (working copy)
@@ -28,11 +28,11 @@
#
# ---
-import base64
+from base64 import b16encode
import md5
-username_in = raw_input('Enter username:')
-password_in = raw_input('Enter password:')
-password = md5.new(password_in + username_in)
-username = md5.new(username_in + password_in)
-print("'%s' : '%s'" % (base64.b32encode(username.digest()),
base64.b32encode(password.digest(
+username = raw_input('Enter username:')
+password = raw_input('Enter password:')
+password = crypt(password, '$1$'+ 'saltedflavor')
+password = md5.new(password)
+print("'%s' : '%s'" % (username, b16encode(password.digest(
Index: src/www/web_types.py
===
--- src/www/web_types.py(revision 8885)
+++ src/www/web_types.py(working copy)
@@ -1,4 +1,4 @@
-# -*- coding: iso-8859-1 -*-
+# /bin/bash: indent: command not found
# ---
# web_types.py - Classes useful for the web interface.
# ---
@@ -27,7 +27,7 @@
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# ---
-import base64
+from base64 import b16encode
import md5
import os, sys, time
@@ -107,13 +107,11 @@
"""
print 'auth_user(self, username=\"%s\", password=\"%s\")' % (username,
'**')
realpass = config.WWW_USERS.get(username)
-if not realpass:
-md5user = md5.new(username + password)
-realpass = config.WWW_USERS.get(base64.b32encode(md5user.digest()))
-md5pass = md5.new(password + username)
-password = base64.b32encode(md5pass.digest())
+md5pass = md5.new(password)
if realpass == password:
return True
+elif realpass == b16encode(md5pass.digest()):
+return True
else:
return False
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Can you apply that for me, I cant write to SVN Jason Tackaberry wrote: > On Mon, 2007-01-01 at 08:11 -0800, Ryan Roth wrote: > >> IF the salt if stored with the password then there is no reason to >> really use it right? >> > > No, the salt increases the difficulty of dictionary-based attacks > considerably. > > > - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ___ > Freevo-users mailing list > Freevo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freevo-users > > - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Index: src/www/web_types.py
===
--- src/www/web_types.py (revision 8885)
+++ src/www/web_types.py (working copy)
@@ -1,4 +1,4 @@
-# -*- coding: iso-8859-1 -*-
+# /bin/bash: indent: command not found
# ---
# web_types.py - Classes useful for the web interface.
# ---
@@ -27,7 +27,7 @@
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# ---
-import base64
+from base64 import b16encode
import md5
import os, sys, time
@@ -107,13 +107,11 @@
"""
print 'auth_user(self, username=\"%s\", password=\"%s\")' %
(username, '**')
realpass = config.WWW_USERS.get(username)
-if not realpass:
-md5user = md5.new(username + password)
-realpass =
config.WWW_USERS.get(base64.b32encode(md5user.digest()))
-md5pass = md5.new(password + username)
-password = base64.b32encode(md5pass.digest())
+md5pass = md5.new(password)
if realpass == password:
return True
+elif realpass == b16encode(md5pass.digest()):
+return True
else:
return False
===
--- src/helpers/passwd.py (revision 8885)
+++ src/helpers/passwd.py (working copy)
@@ -28,11 +28,11 @@
#
# ---
-import base64
+from base64 import b16encode
import md5
-username_in = raw_input('Enter username:')
-password_in = raw_input('Enter password:')
-password = md5.new(password_in + username_in)
-username = md5.new(username_in + password_in)
-print("'%s' : '%s'" % (base64.b32encode(username.digest()),
base64.b32encode(password.digest(
+username = raw_input('Enter username:')
+password = raw_input('Enter password:')
+password = crypt(password, '$1$'+ 'saltedflavor')
+password = md5.new(password)
+print("'%s' : '%s'" % (username, b16encode(password.digest(
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 08:11 -0800, Ryan Roth wrote: > IF the salt if stored with the password then there is no reason to > really use it right? No, the salt increases the difficulty of dictionary-based attacks considerably. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
IF the salt if stored with the password then there is no reason to really use it right? Jason Tackaberry wrote: > On Mon, 2007-01-01 at 08:04 -0800, Ryan Roth wrote: > >> So would you like it changed? >> > > I would, yes. :) > > > > - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ___ > Freevo-users mailing list > Freevo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freevo-users > > - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 08:04 -0800, Ryan Roth wrote: > So would you like it changed? I would, yes. :) - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
So would you like it changed?
Jason Tackaberry wrote:
> On Mon, 2007-01-01 at 07:43 -0800, Ryan Roth wrote:
>
>> I can change it if that is what people want. I personally like not
>> having blatant visible usernames or passwords in plain text files.
>>
>
> The model from the beginning of time has always been that usernames are
> not secret. I think changing that for the sake of being clever is
> probably a bad idea. I think in the best case you won't be helping
> security, and in the worst case would be hurting it.
>
> Everybody knows usernames are stored in the clear. If you're worried
> that your username leaks something personal, choose a different
> username.
>
>
>
>> When comparing given password to stored password how do you use the same
>> salt if it is random? Or is at random salt for that machine?
>>
>
> The salt is stored along with the crypted output:
>
> [EMAIL PROTECTED] ~]$ python -c 'from crypt import crypt; print
> crypt("mypass", "$1$somesalt$")'
> $1$somesalt$YNyB7foQZZvxHOICTr52H.
>
> (somesalt could be derived from /dev/urandom.) So when you want to
> compare user input, you parse the salt from the front of the stored
> password hash, and feed that back into crypt() with the user-supplied
> password and see if the results match.
>
> Cheers,
> Jason.
>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
>
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Mon, 2007-01-01 at 07:43 -0800, Ryan Roth wrote:
> I can change it if that is what people want. I personally like not
> having blatant visible usernames or passwords in plain text files.
The model from the beginning of time has always been that usernames are
not secret. I think changing that for the sake of being clever is
probably a bad idea. I think in the best case you won't be helping
security, and in the worst case would be hurting it.
Everybody knows usernames are stored in the clear. If you're worried
that your username leaks something personal, choose a different
username.
> When comparing given password to stored password how do you use the same
> salt if it is random? Or is at random salt for that machine?
The salt is stored along with the crypted output:
[EMAIL PROTECTED] ~]$ python -c 'from crypt import crypt; print crypt("mypass",
"$1$somesalt$")'
$1$somesalt$YNyB7foQZZvxHOICTr52H.
(somesalt could be derived from /dev/urandom.) So when you want to
compare user input, you parse the salt from the front of the stored
password hash, and feed that back into crypt() with the user-supplied
password and see if the results match.
Cheers,
Jason.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
I can change it if that is what people want. I personally like not having blatant visible usernames or passwords in plain text files. When comparing given password to stored password how do you use the same salt if it is random? Or is at random salt for that machine? Jason Tackaberry wrote: > On Sun, 2006-12-31 at 23:20 -0800, Ryan Roth wrote: > >> Your way behind :), I already changed it to use md5 >> > > No, I saw that. I was just saying not to hash the username, and to use > the conventional unix crypt command with a random salt (instead of the > username as salt). crypt(3) on any modern linux will use MD5 implicitly > so long as your salt follows the "$1$$" format. > > Jason. > > > - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ___ > Freevo-users mailing list > Freevo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freevo-users > > - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Sun, 2006-12-31 at 23:20 -0800, Ryan Roth wrote: > Your way behind :), I already changed it to use md5 No, I saw that. I was just saying not to hash the username, and to use the conventional unix crypt command with a random salt (instead of the username as salt). crypt(3) on any modern linux will use MD5 implicitly so long as your salt follows the "$1$$" format. Jason. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Your way behind :), I already changed it to use md5 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
On Fri, 2006-12-29 at 14:47 -0800, Ryan Roth wrote: > idea of plain text passwords. If you really want I can change it to > md5, but since the username and password are salted with each other it > should be pretty safe, since you would need both to crack one. Hashing the username seems like needless obfuscation. What you're essentially doing is concatenating the username and password to make a bigger password, both of which now are considered key material. But the username shouldn't be used as key material, because it's always visible in logs, echoed back when the user types it, etc. So you're not really improving security by doing this. I'd just follow the traditional model and store the username and the crypted password. You can use python's crypt module to hash the password with a random salt. (Specify "$1$$" as the salt parameter and it will use MD5 to hash the password.) Cheers, Jason. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
It turns out python has a md5 module built right in. I went ahead and changed it to md5. So to summarize, since there have been so many emails and version ;) The passwd helper takes a username and password from the user and dumps md5 encoded strings for the user to add to local_config.py The webserver first checks the username against the local_config.py, if it does not find it, it then hashes the name and checks to see if that matches the local_conf.py - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
The newest version is on the tracker page. The reason I do not like plain text in the local_conf.py is because I keep backups of this file on my PC, and I imagine others may do so too. I just do not like the idea of plain text passwords. If you really want I can change it to md5, but since the username and password are salted with each other it should be pretty safe, since you would need both to crack one. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
No more local_conf.py foolery
Index: src/www/web_types.py
===
--- src/www/web_types.py(revision 8853)
+++ src/www/web_types.py(working copy)
@@ -27,8 +27,8 @@
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# ---
+import crypt
-
import os, sys, time
import config
@@ -78,8 +78,10 @@
def auth_user(self, username, password):
print 'auth_user(self, username=\"%s\", password=\"%s\")' % (username,
password)
realpass = config.WWW_USERS.get(username)
-if password == realpass:
+if realpass == password:
return TRUE
+elif 'crypt-' + crypt.crypt(password, username) ==
config.WWW_USERS.get('crypt-' + crypt.crypt(username, password)):
+return TRUE
else:
return FALSE
Index: src/helpers/passwd.py
===
--- src/helpers/passwd.py (revision 0)
+++ src/helpers/passwd.py (revision 0)
@@ -0,0 +1,13 @@
+import crypt
+import config
+import string
+import os
+
+if not hasattr(config, 'WWW_USERS'):
+print 'WWW_USERS is missing from local_conf.py\nYou must at least have
WWW_USERS = {}'
+else:
+username_in = raw_input('Enter username:')
+password_in = raw_input('Enter password:')
+password = crypt.crypt(password_in, username_in)
+username = crypt.crypt(username_in, password_in)
+print("' %s : %s '" % (username, password))
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
I can change it to just dump the user & password to the console. Also
if a user uses crypt- for a password it WILL still work, since it checks
all passwrods against plain text first.
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> OK I have stunnel working. I would like to write a howto for the wiki,
>> but I would like to include the encrypted passwords in the how to also.
>>
>
> Great wiki page.
>
> I think it would be better to use a tuple for encrypted user names and
> passwords, then the password checker can detect that it is a tuple and
> use the first word as the type of key. Some _smart_ user will use a
> password 'crypt-' and then no login. Better to use a tuple.
>
> Something in the back of my mind tells me that encrypted passwords are a
> bit of a waste of time on a freevo box, unless it is shared by different
> people. One of the big problems is that there is no access control, such
> as read (play) only and read-write.
>
> BTW crypt is not very secure, that's why shadow uses md5 passwords; md5
> is easy to get from the command line: echo 'password' | md5sum
>
> In the patch, you were messing around with local_conf.py, which is not a
> good idea. Better to just output the line, which can be pasted into the
> local_conf.py
>
> Duncan
>
>
>> Duncan Webb wrote:
>>
>>> Ryan Roth wrote:
>>>
>>>
The reason I wanted this is start making the web interface more secure.
I wanted to take with people and see what they though about changing the
web server to a secure server. This would be nice for those of us who
forward web traffic from our public IP to our Freevo box.
>>> That's what I thought the intention was. However making the password
>>> more secure does not mean that the freevo box is secure. There are
>>> several things that you need to do to make the box more secure when
>>> accessed externally.
>>>
>>> First install stunnel, this means that you can access the freevo box
>>> using the https:// protocol, this means that the data, including
>>> passwords is not transmitted over the net in a readable form. See:
>>> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/stunnel.html
>>>
>>> Configure a service for freevo webserver:
>>> [https]
>>> accept = 443
>>> connect = 8080
>>> TIMEOUTclose = 0
>>>
>>> You will need a group and a user for freevo webserver access. Lets say:
>>> groupadd -g 80 freevo
>>> useradd -c "Freevo Webserver" -d /home/freevo \
>>> -g freevo -s /bin/false -u 80 freevo
>>>
>>> Change the freevo webserver port and user and group ids in local_conf.py
>>> WEBSERVER_UID = 80
>>> WEBSERVER_GID = 80
>>> WEBSERVER_PORT = 8080
>>>
>>> Then you have to change the group and the permissions of the freevo
>>> media directories. Something like:
>>> find /freevo -type d -exec chgrp freevo {} \;
>>> find /freevo -type d -exec chmod g+ws {} \;
>>>
>>> You will also need to change the ownership and permissions on other
>>> files, eg webserver-80.log, so that the freevo user can write to these
>>> files. There may be more that you need to change.
>>>
>>> Lastly you need to open port 443 on your firewall that then points to
>>> the freevo box.
>>>
>>> Hope this helps and when you have got it working may be adding a wiki
>>> page would be good.
>>>
>>> Duncan
>>>
>>>
>>> -
>>> Take Surveys. Earn Cash. Influence the Future of IT
>>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>>> opinions on IT & business topics through brief surveys - and earn cash
>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>> ___
>>> Freevo-users mailing list
>>> Freevo-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/freevo-users
>>>
>>>
>>>
>> -
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys - and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> ___
>> Freevo-users mailing list
>> Freevo-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/freevo-users
>>
>>
>
>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
>
---
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Ryan Roth wrote:
> OK I have stunnel working. I would like to write a howto for the wiki,
> but I would like to include the encrypted passwords in the how to also.
Great wiki page.
I think it would be better to use a tuple for encrypted user names and
passwords, then the password checker can detect that it is a tuple and
use the first word as the type of key. Some _smart_ user will use a
password 'crypt-' and then no login. Better to use a tuple.
Something in the back of my mind tells me that encrypted passwords are a
bit of a waste of time on a freevo box, unless it is shared by different
people. One of the big problems is that there is no access control, such
as read (play) only and read-write.
BTW crypt is not very secure, that's why shadow uses md5 passwords; md5
is easy to get from the command line: echo 'password' | md5sum
In the patch, you were messing around with local_conf.py, which is not a
good idea. Better to just output the line, which can be pasted into the
local_conf.py
Duncan
>
> Duncan Webb wrote:
>> Ryan Roth wrote:
>>
>>> The reason I wanted this is start making the web interface more secure.
>>> I wanted to take with people and see what they though about changing the
>>> web server to a secure server. This would be nice for those of us who
>>> forward web traffic from our public IP to our Freevo box.
>>>
>> That's what I thought the intention was. However making the password
>> more secure does not mean that the freevo box is secure. There are
>> several things that you need to do to make the box more secure when
>> accessed externally.
>>
>> First install stunnel, this means that you can access the freevo box
>> using the https:// protocol, this means that the data, including
>> passwords is not transmitted over the net in a readable form. See:
>> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/stunnel.html
>>
>> Configure a service for freevo webserver:
>> [https]
>> accept = 443
>> connect = 8080
>> TIMEOUTclose = 0
>>
>> You will need a group and a user for freevo webserver access. Lets say:
>> groupadd -g 80 freevo
>> useradd -c "Freevo Webserver" -d /home/freevo \
>> -g freevo -s /bin/false -u 80 freevo
>>
>> Change the freevo webserver port and user and group ids in local_conf.py
>> WEBSERVER_UID = 80
>> WEBSERVER_GID = 80
>> WEBSERVER_PORT = 8080
>>
>> Then you have to change the group and the permissions of the freevo
>> media directories. Something like:
>> find /freevo -type d -exec chgrp freevo {} \;
>> find /freevo -type d -exec chmod g+ws {} \;
>>
>> You will also need to change the ownership and permissions on other
>> files, eg webserver-80.log, so that the freevo user can write to these
>> files. There may be more that you need to change.
>>
>> Lastly you need to open port 443 on your firewall that then points to
>> the freevo box.
>>
>> Hope this helps and when you have got it working may be adding a wiki
>> page would be good.
>>
>> Duncan
>>
>>
>> -
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys - and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> ___
>> Freevo-users mailing list
>> Freevo-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/freevo-users
>>
>>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
http://freevo.sourceforge.net/cgi-bin/doc/SecureWebserver - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
OK I have stunnel working. I would like to write a howto for the wiki,
but I would like to include the encrypted passwords in the how to also.
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> The reason I wanted this is start making the web interface more secure.
>> I wanted to take with people and see what they though about changing the
>> web server to a secure server. This would be nice for those of us who
>> forward web traffic from our public IP to our Freevo box.
>>
>
> That's what I thought the intention was. However making the password
> more secure does not mean that the freevo box is secure. There are
> several things that you need to do to make the box more secure when
> accessed externally.
>
> First install stunnel, this means that you can access the freevo box
> using the https:// protocol, this means that the data, including
> passwords is not transmitted over the net in a readable form. See:
> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/stunnel.html
>
> Configure a service for freevo webserver:
> [https]
> accept = 443
> connect = 8080
> TIMEOUTclose = 0
>
> You will need a group and a user for freevo webserver access. Lets say:
> groupadd -g 80 freevo
> useradd -c "Freevo Webserver" -d /home/freevo \
> -g freevo -s /bin/false -u 80 freevo
>
> Change the freevo webserver port and user and group ids in local_conf.py
> WEBSERVER_UID = 80
> WEBSERVER_GID = 80
> WEBSERVER_PORT = 8080
>
> Then you have to change the group and the permissions of the freevo
> media directories. Something like:
> find /freevo -type d -exec chgrp freevo {} \;
> find /freevo -type d -exec chmod g+ws {} \;
>
> You will also need to change the ownership and permissions on other
> files, eg webserver-80.log, so that the freevo user can write to these
> files. There may be more that you need to change.
>
> Lastly you need to open port 443 on your firewall that then points to
> the freevo box.
>
> Hope this helps and when you have got it working may be adding a wiki
> page would be good.
>
> Duncan
>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
>
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Can you apply the current changes to svn? And I will start working on
HTTPS. None of it is yet implemented right?
Duncan Webb wrote:
> Ryan Roth wrote:
>
>> The reason I wanted this is start making the web interface more secure.
>> I wanted to take with people and see what they though about changing the
>> web server to a secure server. This would be nice for those of us who
>> forward web traffic from our public IP to our Freevo box.
>>
>
> That's what I thought the intention was. However making the password
> more secure does not mean that the freevo box is secure. There are
> several things that you need to do to make the box more secure when
> accessed externally.
>
> First install stunnel, this means that you can access the freevo box
> using the https:// protocol, this means that the data, including
> passwords is not transmitted over the net in a readable form. See:
> http://www.linuxfromscratch.org/blfs/view/svn/postlfs/stunnel.html
>
> Configure a service for freevo webserver:
> [https]
> accept = 443
> connect = 8080
> TIMEOUTclose = 0
>
> You will need a group and a user for freevo webserver access. Lets say:
> groupadd -g 80 freevo
> useradd -c "Freevo Webserver" -d /home/freevo \
> -g freevo -s /bin/false -u 80 freevo
>
> Change the freevo webserver port and user and group ids in local_conf.py
> WEBSERVER_UID = 80
> WEBSERVER_GID = 80
> WEBSERVER_PORT = 8080
>
> Then you have to change the group and the permissions of the freevo
> media directories. Something like:
> find /freevo -type d -exec chgrp freevo {} \;
> find /freevo -type d -exec chmod g+ws {} \;
>
> You will also need to change the ownership and permissions on other
> files, eg webserver-80.log, so that the freevo user can write to these
> files. There may be more that you need to change.
>
> Lastly you need to open port 443 on your firewall that then points to
> the freevo box.
>
> Hope this helps and when you have got it working may be adding a wiki
> page would be good.
>
> Duncan
>
>
> -
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ___
> Freevo-users mailing list
> Freevo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freevo-users
>
>
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] Securing freevo webserver (was WWW Authentication in SVN version)
Ryan Roth wrote:
> The reason I wanted this is start making the web interface more secure.
> I wanted to take with people and see what they though about changing the
> web server to a secure server. This would be nice for those of us who
> forward web traffic from our public IP to our Freevo box.
That's what I thought the intention was. However making the password
more secure does not mean that the freevo box is secure. There are
several things that you need to do to make the box more secure when
accessed externally.
First install stunnel, this means that you can access the freevo box
using the https:// protocol, this means that the data, including
passwords is not transmitted over the net in a readable form. See:
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/stunnel.html
Configure a service for freevo webserver:
[https]
accept = 443
connect = 8080
TIMEOUTclose = 0
You will need a group and a user for freevo webserver access. Lets say:
groupadd -g 80 freevo
useradd -c "Freevo Webserver" -d /home/freevo \
-g freevo -s /bin/false -u 80 freevo
Change the freevo webserver port and user and group ids in local_conf.py
WEBSERVER_UID = 80
WEBSERVER_GID = 80
WEBSERVER_PORT = 8080
Then you have to change the group and the permissions of the freevo
media directories. Something like:
find /freevo -type d -exec chgrp freevo {} \;
find /freevo -type d -exec chmod g+ws {} \;
You will also need to change the ownership and permissions on other
files, eg webserver-80.log, so that the freevo user can write to these
files. There may be more that you need to change.
Lastly you need to open port 443 on your firewall that then points to
the freevo box.
Hope this helps and when you have got it working may be adding a wiki
page would be good.
Duncan
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Freevo-users mailing list
Freevo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freevo-users
