Re: [guadec-list] Mango passwords and instructions?

On Fri, Jun 27, 2008 at 09:20:05AM -0400, Behdad Esfahbod wrote:
> On Thu, 2008-06-26 at 19:42 +0200, Olav Vitters wrote:
> > 
> > Only annoying part is the script for the user. It should be simple
> > enough so that people trust the working. But at the same time, some
> > GUI is likely needed (?).. but that would make it complicated.
> > Note that fetching private keys from the ssh agent is trivial.
> How about something like showing people a page saying:
> "Please run the following command and follow instructions given there:
>   echo "blah blah blah some rand word" | ssh
> The then gives them a password they can use to login
> withing the next 10 minutes.

Actually not sure how to implement something like that. Users should not
be able to retrieve any private Mango information. So they should not
just be able to run a script under their userid and get access to
private Mango info. At the same time, I don't know how to handle suid
stuff combined with Python... is that trustable? Can I 100% rely on
finding out the original userid? Plus I'd need to store it in the
database in a way that if the database is compromised, that they cannot
abuse it to get Mango privs... probably hashing some secret token I

I've tried the paramiko method, and it seems to work (not in Mango..
just hacked up test locally). I'll do something like that for now... it
is pretty easy to replace the login method in Mango.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]