Re: [guadec-list] Mango passwords and instructions?



On Thu, Jun 26, 2008 at 10:39:20AM -0400, Behdad Esfahbod wrote:
> On Thu, 2008-06-26 at 09:09 +0200, Olav Vitters wrote:
> > 
> > With the rewrite of Mango into Python, I can rely on the SSH keys for
> > authentication. This will however require people wanting to login to
> > Mango to run a custom script (to extract the RSA bits of out the
> > private key to enable the authentication).
> 
> Interesting.  How does it work?

The easiest way is to use the Paramiko stuff.. although I am not sure
what I'll do.

E.g. http://www.lag.net/paramiko/docs/paramiko.PKey-class.html

see can_sign (needs private key), sign_ssh_data (private key),
verify_ssh_sig.

I'd imagine something like:
* Website shows base64 encoded random bytes
* User uses script to sign the random bytes (script decodes the base64
  stuff, signs it, then base64 encodes the result)
* User enters username and the base64'd signature
* Mango verifies that:
  random bytes matches with was what given
  user has a public key which passes the 'verify_ssh_sig' check

Only annoying part is the script for the user. It should be simple
enough so that people trust the working. But at the same time, some GUI
is likely needed (?).. but that would make it complicated.
Note that fetching private keys from the ssh agent is trivial.

-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]