Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/4/07, Toni Mueller <[EMAIL PROTECTED]> wrote: > > > Has PostgreSQL some sort of a 'sudo' feature? That could solve the > problem along the lines of "does this username/password pair > authenticate? if yes, execute the following query under the rights of > the associated role". It depends on

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Hi Josh, On Thu, 04.10.2007 at 11:03:24 -0700, Josh Berkus <[EMAIL PROTECTED]> wrote: > Toni, > > You have a username/password combination set for the application that > > the application uses to request eg. authentication data from the > > database. Alternatively, you leap and implement OpenID,

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/4/07, Toni Mueller <[EMAIL PROTECTED]> wrote: > > > I strongly suggest using the following authentication scheme, after > having battled non-cooperation between several authentication methods > for a while in a different context: > > You have a username/password combination set for the applic

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, John Hasler <[EMAIL PROTECTED]> wrote: > > Chris Travers writes: > > But consider Ubuntu. Do you *really* want us writing global options to > > your Apache configuration file, possibly ovewriting SSL options, etc? > > On Debian and therefor probably on Ubuntu you just drop a file in th

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Toni, > You have a username/password combination set for the application that > the application uses to request eg. authentication data from the > database. Alternatively, you leap and implement OpenID, which "solves" > all other problems for you. This sort of a scheme works with application user

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Hi, On Mon, 01.10.2007 at 17:29:36 -0700, Chris Travers <[EMAIL PROTECTED]> wrote: > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > Chris Travers wrote: > > > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > >> passwords will not be stored as plain text... they will be an e

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Chris Travers writes: > But consider Ubuntu. Do you *really* want us writing global options to > your Apache configuration file, possibly ovewriting SSL options, etc? On Debian and therefor probably on Ubuntu you just drop a file in the directory /etc/apache/conf.d. > I think the case can be mad

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On Tue, Oct 02, 2007 at 09:10:40PM -0700, Chris Travers wrote: > Client-side MD5 of passwords is almost always seriously wrong. In fact I > cannot think of a case where this would be acceptable. Such a system would > be vulnerable to replay attacks at the very least. See Seneca's post above > as

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On Tue, Oct 02, 2007 at 12:53:37PM -0700, Chris Travers wrote: [...] > I think we should separate the issues of storage and transmission. The > password is always stored at some point in browser memory in plain text (for > example, when it is entered). It is always submitted to the server in pla

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > Apache/PostgreSQL authentication can still be done via any auth method. SSL > would be nice for this leg but it is not where the issue is (which is > between the browser

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > > > We are making this far more complicated that it needs to be. Let's just > make it so ssl is part of the ledgersmb requirements and include the > docs to handle that. We can even include a simple wizard that will > create the postgresql

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chris Travers wrote: > > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > >> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: > >>> As I understand it (and I am pretty likely to

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: >> On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: >>> As I understand it (and I am pretty likely to get this wrong so feel >>> free to >>> point that out) the only reas

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Tangye wrote: > On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> Anyone who thinks a "user" should be able to install LSMB or PostgreSQL >> is frankly, in a fantasy world. >> > > OK I guess all the users that use ubuntu, the biggest dis

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > > > On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > > > Perhaps more effort needs to made with the LSMB installer. I still am > > > > not running it because it does not

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Chris Travers wrote: > > > On 10/2/07, *John Locke* <[EMAIL PROTECTED] > > wrote: > > > First off, how can you do http auth using Javascript? > > > One option is to grab the username and password from the form, make > use XMLHttpRequestObject to make a request with

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: > > > > As I understand it (and I am pretty likely to get this wrong so feel > > free to > > point that out) the only reason we have to send the user/pass on every > > http > > request is

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > Perhaps more effort needs to made with the LSMB installer. I still am > > > not running it because it does not install on a standard ubuntu desktop > > > box. > > > > > > > Agreed,

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > Perhaps more effort needs to made with the LSMB installer. I still am not > > running it because it does not install on a standard ubuntu desktop box. > > Agreed, at least as far as Windows goes. But consider Ubuntu. Do you > *really* want

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Ashley J Gittins <[EMAIL PROTECTED]> wrote: > > As I understand it (and I am pretty likely to get this wrong so feel free > to > point that out) the only reason we have to send the user/pass on every > http > request is because of the change to using postgresql to authenticate every > r

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > > I think we should separate the issues of storage and transmission. The > > password is always stored at some point in browser memory in plain text (for > > example, when it is enter

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, David Tangye <[EMAIL PROTECTED]> wrote: > > > > On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > > > Anyone who thinks a "user" should be able to install LSMB or PostgreSQL > > is frankly, in a fantasy world. > > > > OK I guess all the users that use ubuntu, the biggest distro

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > I think we should separate the issues of storage and transmission. The > password is always stored at some point in browser memory in plain text (for > example, when it is entered). It is always submitted to the server in plain > text in th

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/3/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > Anyone who thinks a "user" should be able to install LSMB or PostgreSQL > is frankly, in a fantasy world. > OK I guess all the users that use ubuntu, the biggest distro in linux, must all be in a fantasy world. They just click to install t

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Ashley J Gittins wrote: > > As I understand it (and I am pretty likely to get this wrong so feel > free to > > point that out) the only reason we have to send the user/pass on every > http

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ashley J Gittins wrote: > As I understand it (and I am pretty likely to get this wrong so feel free to > point that out) the only reason we have to send the user/pass on every http > request is because of the change to using postgresql to authenticat

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

As I understand it (and I am pretty likely to get this wrong so feel free to point that out) the only reason we have to send the user/pass on every http request is because of the change to using postgresql to authenticate every request (ie, server-side, LSMB logs into psql as the actual user), t

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, The Anarcat <[EMAIL PROTECTED]> wrote: > > Just to make things clearer, you have a few ways of doing auth: > > 1. Client-side based solution (HTTP Auth, cookies, GET...) > 2. Server-side based solution (sessions) > > In those approaches, from what I understand, the username/password is

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, John Locke <[EMAIL PROTECTED]> wrote: > > > > Chris Travers wrote: > > In going to native DB accounts, one of the difficulties we have to > > resolve is how to effectively authenticate serial requests. The major > > problem has to do with how the password to the database is stored. I

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Just to make things clearer, you have a few ways of doing auth: 1. Client-side based solution (HTTP Auth, cookies, GET...) 2. Server-side based solution (sessions) In those approaches, from what I understand, the username/password is stored "somewhere" and communicated back to the postgresql se

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Chris Travers wrote: > In going to native DB accounts, one of the difficulties we have to > resolve is how to effectively authenticate serial requests. The major > problem has to do with how the password to the database is stored. I > am going to suggest that we move to using HTTP authenticatio

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/2/07, Chris Nighswonger <[EMAIL PROTECTED]> wrote: >> > > Having said this, I think we should be trying to be as secure as possible by > default. I don't like the idea of blaming users for security issues, With respect

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Nighswonger wrote: > On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Chris Nighswonger wrote: >>> On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: >>> Maybe hash it in the Java

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, Chris Nighswonger <[EMAIL PROTECTED]> wrote: > > > I had this thought as well, but was not sure whether this was > considered part of deployment of LedgerSMB rather than coding and > therefore the responsibility of the installer/admin. In any case ssl > adds more security to the dataflo

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chris Nighswonger wrote: > > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > Maybe hash it in the Java script (or whatever method you choose), > > store the hash in a cookie, tran

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/2/07, Seneca Cunningham <[EMAIL PROTECTED]> wrote: > On Tue, Oct 02, 2007 at 07:50:43AM -0400, Chris Nighswonger wrote: > > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > To log in on the next page you need to provide PostgreSQL with a username > > > and password. How do we deriv

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Nighswonger wrote: > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > Maybe hash it in the Java script (or whatever method you choose), > store the hash in a cookie, transmit the hash, have the code unhash > and pass the password to the DB

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Chris Travers wrote: >>> On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: - passwords will not

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On Tue, Oct 02, 2007 at 07:50:43AM -0400, Chris Nighswonger wrote: > On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > To log in on the next page you need to provide PostgreSQL with a username > > and password. How do we derive what password we send to PostgreSQL and > > where do we store t

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > > > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Chris Travers wrote: > > > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > >> - > > >> > > >> passwords will not

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/1/07, Chris Travers <[EMAIL PROTECTED]> wrote: > In going to native DB accounts, one of the difficulties we have to resolve > is how to effectively authenticate serial requests. The major problem has > to do with how the password to the database is stored. I am going to > suggest that we mo

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

I.e. what password do we use to create our primary database connection for the application? Best Wishes, Chris Travers - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http:/

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chris Travers wrote: > > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > >> - > >> > >> passwords will not be stored as plain text... they will be an encrypted > >> hash. I am not

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: >> - >> >> passwords will not be stored as plain text... they will be an encrypted >> hash. I am not understanding the problem. > > > Log in to LedgerSMB with your DB usern

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

On 10/1/07, Joshua D. Drake <[EMAIL PROTECTED]> wrote: > > - > > passwords will not be stored as plain text... they will be an encrypted > hash. I am not understanding the problem. Log in to LedgerSMB with your DB username and password. Click on a link. How does the application know what passwo

Re: [Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Travers wrote: > In going to native DB accounts, one of the difficulties we have to resolve > is how to effectively authenticate serial requests. The major problem has > to do with how the password to the database is stored. I am going to > sug

[Ledger-smb-devel] Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

In going to native DB accounts, one of the difficulties we have to resolve is how to effectively authenticate serial requests. The major problem has to do with how the password to the database is stored. I am going to suggest that we move to using HTTP authentication as the primary mechanism of a