Re: [Freevo-users] WWW Authentication in SVN version
Ryan Roth wrote: Has the way you set the WWW users changed in the SVN version? I seem to be having trouble getting a username and password to work. WWW_USERS = { 'freevo' : 'freevo' } still works. Duncan - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] WWW Authentication in SVN version
Can we change to this? http://sourceforge.net/tracker/index.php?func=detailaid=1623854group_id=46652atid=446898 Duncan Webb wrote: Ryan Roth wrote: Has the way you set the WWW users changed in the SVN version? I seem to be having trouble getting a username and password to work. WWW_USERS = { 'freevo' : 'freevo' } still works. Duncan - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] WWW Authentication in SVN version
Ryan Roth wrote: Can we change to this? http://sourceforge.net/tracker/index.php?func=detailaid=1623854group_id=46652atid=446898 I must admit I'm a bit dubious about security on a freevo box, I guess it all comes down to how people use freevo. If your unhappy with the current method you can always use stunnel and certificates, this would prevent plain text password going over the network. A better solution for the password is to keep the same method as we have but replace the 'freevo' password with: { 'freevo' : ('md5', 'c30e34fbaa8de764a6376eb1b10a7307') }, { 'freevo' : ('crypt', ('bba2MX1hDX8JQ', 'bb')) } or { 'freevo' : 'freevo' } (New in python 2.5 is hashlib, better hashes) This would minimise the changes and still keep it easy for people who don't need secure passwords. I don't see much difference between using local_conf.py and a separate file for passwords. You don't have to have local_conf.py as world readable. If you want to do a patch for this, then I would be more than happy to apply it. Duncan Duncan Webb wrote: Ryan Roth wrote: Has the way you set the WWW users changed in the SVN version? I seem to be having trouble getting a username and password to work. WWW_USERS = { 'freevo' : 'freevo' } still works. Duncan - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] WWW Authentication in SVN version
If people are interested in it I will make a patch for it. Duncan Webb wrote: Ryan Roth wrote: Can we change to this? http://sourceforge.net/tracker/index.php?func=detailaid=1623854group_id=46652atid=446898 I must admit I'm a bit dubious about security on a freevo box, I guess it all comes down to how people use freevo. If your unhappy with the current method you can always use stunnel and certificates, this would prevent plain text password going over the network. A better solution for the password is to keep the same method as we have but replace the 'freevo' password with: { 'freevo' : ('md5', 'c30e34fbaa8de764a6376eb1b10a7307') }, { 'freevo' : ('crypt', ('bba2MX1hDX8JQ', 'bb')) } or { 'freevo' : 'freevo' } (New in python 2.5 is hashlib, better hashes) This would minimise the changes and still keep it easy for people who don't need secure passwords. I don't see much difference between using local_conf.py and a separate file for passwords. You don't have to have local_conf.py as world readable. If you want to do a patch for this, then I would be more than happy to apply it. Duncan Duncan Webb wrote: Ryan Roth wrote: Has the way you set the WWW users changed in the SVN version? I seem to be having trouble getting a username and password to work. WWW_USERS = { 'freevo' : 'freevo' } still works. Duncan - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] WWW Authentication in SVN version
All right here is a new version. All encrypted user names and password start with 'crypt-' in the local_conf.py It works with encrypted, unencrypted, or even a mix of the two. The helper 'passwd' will parse the local_conf and add encrypted users to the existing list. Index: src/www/web_types.py === --- src/www/web_types.py(revision 8853) +++ src/www/web_types.py(working copy) @@ -27,8 +27,8 @@ # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # --- +import crypt - import os, sys, time import config @@ -78,8 +78,10 @@ def auth_user(self, username, password): print 'auth_user(self, username=\%s\, password=\%s\)' % (username, password) realpass = config.WWW_USERS.get(username) -if password == realpass: +if realpass == password: return TRUE +elif 'crypt-' + crypt.crypt(password, username) == config.WWW_USERS.get('crypt-' + crypt.crypt(username, password)): +return TRUE else: return FALSE Index: src/helpers/passwd.py === --- src/helpers/passwd.py (revision 0) +++ src/helpers/passwd.py (revision 0) @@ -0,0 +1,56 @@ +import crypt +import config +import string +import os + +if not hasattr(config, 'WWW_USERS'): +print 'WWW_USERS is missing from local_conf.py\nYou must at least have WWW_USERS = {}' +else: +username_in = raw_input('Enter username:') +password_in = raw_input('Enter password:') +password = crypt.crypt(password_in, username_in) +username = crypt.crypt(username_in, password_in) +curuser = str(config.WWW_USERS) +curuser = string.rstrip(string.lstrip(curuser,'{ ) ,'} ) +if curuser.find(',') 0: +curuser = string.split(curuser,',') +for eachuser in curuser: +eachuser = string.split(eachuser,':') +curuser = string.rstrip(string.lstrip(eachuser[0],' ) ,' ) +else: +curuser = string.rstrip(string.lstrip(curuser,' ) ,' ) +if curuser == username_in: +print 'User already exisits in plain text form' +else: +curuser = str(config.WWW_USERS) +if curuser == '{0: 0}': +curuser = { 'crypt- + username + ' : 'crypt- + password + ' } +else: +curuser = string.rstrip(curuser, '}') +curuser = curuser + ', ' + 'crypt- + username + ' : 'crypt- + password + ' } +print curuser +infile = open('/etc/freevo/local_conf.py','r') +outfile = open('/etc/freevo/local_conf.py.new','w') +www_user_written = 0 +for line in infile: + if line.find('WWW_USERS') -1: + outfile.write('WWW_USERS = ' + curuser + '\n') + www_user_written = 1 + else: + outfile.write(line) +if www_user_written == 0: +outfile.write('WWW_USERS = ' + curuser + '\n') +infile.close +outfile.close +try: +os.rename('/etc/freevo/local_conf.py', '/etc/freevo/local_conf.py.backup') +os.rename('/etc/freevo/local_conf.py.new', '/etc/freevo/local_conf.py') +except: +try: +os.remove('/etc/freevo/local_conf.py.backup_1') +except: +print 'Remove redundant local_conf.py backups' +os.rename('/etc/freevo/local_conf.py.backup', '/etc/freevo/local_conf.py.backup_1') +os.rename('/etc/freevo/local_conf.py', '/etc/freevo/local_conf.py.backup') +os.rename('/etc/freevo/local_conf.py.new', '/etc/freevo/local_conf.py') + - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users
Re: [Freevo-users] WWW Authentication in SVN version
The reason I wanted this is start making the web interface more secure. I wanted to take with people and see what they though about changing the web server to a secure server. This would be nice for those of us who forward web traffic from our public IP to our Freevo box. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Freevo-users mailing list Freevo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freevo-users