[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gomd-devel] Post-beta Authentication roundup
From: |
rbaardman |
Subject: |
[gomd-devel] Post-beta Authentication roundup |
Date: |
Tue, 30 Sep 2003 21:22:52 +0200 |
User-agent: |
Internet Messaging Program (IMP) 3.1 |
Hi,
I did some thinking (again) on the authentication stuff...and got to a
conclusion (always nice :) Any remarks/questions/emotions are off course
welcome.
The situation:
- Gomd listens on 2 ports. 1 port for SSL connection and 1 port for
plain/text connections.
- When a client connects on the SSL port, gomd sends a random string (after
receiving the username) encrypted by a form of the users' password to the
client. The client will decrypt this string with the user-specified
password and sends the (unencrypted) string back. When authentication is
successfull, the newly created gomd thread will run under the UID of the
just logged on user.
- When a client connects to the plain/text port, gomd will not ask for any
user/pass, but will instantly create the new thread. This thread will run
as user nobody.
Some things to notice:
- Gomd grabs user/pass info internally using PAM. This will add huge
flexibility imho
- Hyjacked connections will have rights of user 'nobody' (since SSL
hyjacking is not done)
- the user's password will _not_ be stored/sent plaintext.
- authentication will use some kind of private/public keypair encryption.
how this works exactly we'll have to find out.
- Command execution can be limited due to rights.
NOTICE: We'll have to think about gomd2gomd and users. But that's for later
concern and not a great matter since a cluster is already considered
unsecure imho
cheers,
Roel "roeles" Baardman
P.s. please read this very good to avoid misunderstandings. I'll be on the
gomd channel to answer all questions. Also, you can mail me at this address.
--
_____________________________________________________________________
Snel en voordelig ADSL nu voor iedereen bereikbaar.
Zon Breedband Budget voor EUR 14,95 per maand.
Nu tijdelijk geen aansluitkosten. Bestel snel op zonnet.nl/breedband
- [gomd-devel] Post-beta Authentication roundup,
rbaardman <=