2006-02-14T00:05:58 <xorAxAx> [PERIODIC ANNOUNCEMENT] Logs can be found on http://moinmoin.wikiwikiweb.de/MoinMoinChat/Logs/moin-dev
2006-02-14T00:07:52 <ThomasWaldmann> nwp: you did the virtualpages stuff, right?
2006-02-14T00:26:42 <nwp> ThomasWaldmann: I don't think I know what you're talking about, so I doubt it
2006-02-14T00:27:07 <ThomasWaldmann> or was it ldap stuff?
2006-02-14T00:27:11 <nwp> ldap
2006-02-14T00:27:19 <ThomasWaldmann> ah :)
2006-02-14T00:27:37 <ThomasWaldmann> i maybe used some of your code :)
2006-02-14T00:28:01 <nwp> I have a version that works happily with 1.5.2 at the moment, but I want to check the way we deal with cookies before it gets used too widely
2006-02-14T00:28:58 <nwp> i.e. I need to check what the standard cookie thing does with the password (I seem to recall it storing an MD5 hash of it somewhere)
2006-02-14T00:29:58 <nwp> which I would prefer it not to
2006-02-14T00:30:24 <nwp> so I might have to write an "alternative" cookie mechanism for sessions that can't deal with initial logins
2006-02-14T00:30:27 <ThomasWaldmann> i did it so that it just checks user/pw against ldap
2006-02-14T00:30:36 <ThomasWaldmann> if it fails, end of game
2006-02-14T00:30:49 <nwp> yeah, that's what I do
2006-02-14T00:30:51 <ThomasWaldmann> if it succeeds, it just continues in the chain of auth methods
2006-02-14T00:31:15 <ThomasWaldmann> so the moin_cookie auth plugin gets the same user/pw and acts as usual
2006-02-14T00:31:32 <nwp> but moin_cookie stores a pw hash somewhere
2006-02-14T00:31:39 <nwp> which may be bad
2006-02-14T00:31:51 <ThomasWaldmann> (and ldap makes a user profile with stuff from ldap)
2006-02-14T00:32:08 <nwp> cool, I was planning on getting round to that at some point
2006-02-14T00:32:09 <nwp> :-)
2006-02-14T00:32:35 <ThomasWaldmann> the nice thing is that it is quite separated like that
2006-02-14T00:32:41 <nwp> problem with moin_cookie is that every place you store a PW hash is somewhere that someone can go when they want to crack it
2006-02-14T00:33:20 <nwp> which is fine if moin_cookie is the only thing that uses it, but not fine for university-wide passwords
2006-02-14T00:33:26 <ThomasWaldmann> the cookie stuff itself isnt ultimatively secure....
2006-02-14T00:34:02 <ThomasWaldmann> right
2006-02-14T00:34:11 <nwp> no. I don't mind if it isn't too great for securing access to the wiki, but I'm up shit street if someone gets access to people's university passwords via my wiki
2006-02-14T00:34:38 <nwp> so before I get too many more wiki users I need to fix that
2006-02-14T00:34:45 <ThomasWaldmann> maybe you could have a kill pw auth plugin :)
2006-02-14T00:35:21 <nwp> just a session_cookie auth method should do the trick
2006-02-14T00:36:18 <nwp> have a secret on the server which you use to create an HMAC or something
2006-02-14T00:37:09 <nwp> but I need to have all the other joys that I have to deal with at the moment out of the way first, so I can think about it "properly"
2006-02-14T00:37:33 <ThomasWaldmann> there has also been some security work on the cookie stuff by frankie
2006-02-14T00:38:33 <ThomasWaldmann> he is basically right, but i have a hard time reading his stuff
2006-02-14T00:38:39 <nwp> well, in order to be able to do PW auth using only cookies, it *must* be inherently unsuitable for my use
2006-02-14T00:39:18 <nwp> because it has to store something it can use to check the pw
2006-02-14T00:39:30 <nwp> which someone else can then use to try to crack the pw
2006-02-14T00:39:43 <ThomasWaldmann> yes
2006-02-14T00:40:04 <nwp> so I definitely will need to get something else done, it's just a question of when
2006-02-14T00:40:27 <ThomasWaldmann> btw, i changed the cookie_lifetime code a bit, so it times out x hours after last access (not login)
2006-02-14T00:40:58 <nwp> oh, cool. That's something that bugs me about lots of session cookie implementations "out there"
2006-02-14T00:41:17 <nwp> means more write accesses to db, so potentially not so scalable, but...
2006-02-14T00:41:49 <ThomasWaldmann> for my ldap impl it means you log in via ldap, work ..... and after finishing work, even if you forget to logout, 1h later you are logged out
2006-02-14T00:42:00 <nwp> yeah, that's what I want :-)
2006-02-14T00:42:10 <nwp> except for the bit where it stores the pw hash :-/
2006-02-14T00:42:39 <ThomasWaldmann> maybe you need that "mixed ldap/cookie" approach
2006-02-14T00:42:58 <nwp> you putting your ldap stuff in next release?
2006-02-14T00:43:19 <ThomasWaldmann> i think i will move it to auth.py the next days
2006-02-14T00:43:33 <nwp> ok, I will look forward to it :-)
2006-02-14T00:43:45 <ThomasWaldmann> the problem is just that i cant test it after finishing this project
2006-02-14T00:43:51 <nwp> and then see what I can do to improve it...
2006-02-14T00:49:55 <ThomasWaldmann> what's a bit unclear to me is how to handle binddn and bindpw
2006-02-14T00:50:33 <ThomasWaldmann> currently i have that just taken from the config
2006-02-14T00:52:07 <ThomasWaldmann> but having some user/pw in the config isn't nice
2006-02-14T00:54:55 <ThomasWaldmann> nwp: btw, i fetch sn and givenName from ldap and put it into aliasname
2006-02-14T00:55:19 <ThomasWaldmann> so it at least shows the realname when you move the mouse over the loginname
2006-02-14T02:15:30 <nwp> ThomasWaldmann: sensible LDAP servers allow anonymous binds... if yours doesn't, well then you *have* to have a user/pw configured somewhere. That might as well be in the config
2006-02-14T02:16:52 <starshine> hm. possible to capture the ldap id rather than the "pw" stuff (it's a cookie after all, not auth per se) and have ldap know whether this ip/id combo is currently logged in
2006-02-14T02:17:02 <starshine> in other words a recognizer, more than a password?
2006-02-14T02:18:16 <nwp> starshine: not following you
2006-02-14T02:19:26 <nwp> (not sure which bit of the ldap you mean)
2006-02-14T02:19:47 <starshine> ok. it so happens I'm looking at a slide for a presentation of mine, it compares the "mit magic cookie" style remote X to ssh/tunnel style remote X
2006-02-14T02:20:23 <starshine> if you don't have it hold something password-like, you make up something else, and the window of opportunity to steal access to moin is only as long as the window you grant by ldap
2006-02-14T02:20:44 <starshine> is the intent of an after-ldap-login cookie to no longer pester ldap?
2006-02-14T02:20:50 <nwp> starshine: yes, that's what I was talking about earlier -- a secret on the server and an HMAC made from that
2006-02-14T02:21:05 <nwp> starshine: that, and to not have to ask them for pw every page they access ;-)
2006-02-14T02:21:27 <starshine> right, well, "which machine is he" given your campus-network style, should be something that can help prevent snoopers.
2006-02-14T02:21:42 <nwp> it won't be too hard, I just need some time to do it :-/
2006-02-14T02:22:04 <starshine> since TW wants it to not timeout "after last access" - *some* of the time there will be an update
2006-02-14T02:22:05 <nwp> busy working out what services I need to migrate off a particular machine before I can safely turn it off atm.
2006-02-14T02:22:29 <starshine> yeah I know that feeling
2006-02-14T02:22:36 <nwp> every time I migrate one I notice another
2006-02-14T02:23:07 <starshine> you need a dependencies chart
2006-02-14T02:24:38 <starshine> anyway, it needs a recognizer that is temporary in nature rather than a pw that is more permanent, and this is probably a good idea for cookies in a non LDAP world too.
2006-02-14T02:25:18 <nwp> cookies in a non-LDAP world use a pw of some kind, which they must store somewhere.
2006-02-14T02:25:39 <nwp> so I can't see how the same module can ever be used for both
2006-02-14T02:26:25 <nwp> I don't think it will be difficult. There's plenty of code out there to crib from. The fact that my most likely source is in perl will prevent cargo culting it
2006-02-14T02:26:38 <starshine> nwp: they use *something* - but as you note, the pw as actually stored in the file is a secret thing, it shouldn't be floating about on every http transit.
2006-02-14T02:26:42 <starshine> lol
2006-02-14T02:27:16 <nwp> no, it won't be floating around http. But even having it stored on the moin server (as an MD5 hash) is bad.
2006-02-14T02:27:31 <nwp> if it wasn't, shadow wouldn't exist
2006-02-14T02:27:32 <starshine> so if once every (period of time) the server (in your case ldap, in a localmoin case the moinserver) comes up with a corrected secret.
2006-02-14T02:27:43 <nwp> yes
2006-02-14T02:28:10 <nwp> kind of, at least
2006-02-14T02:28:10 <starshine> ssh already works like that, the means by which it keeps track is renegotiated now and then, unknown to the user.
2006-02-14T02:28:27 <nwp> the ldap is only ever accessed once, at login.
2006-02-14T02:29:18 <nwp> then moin will generate a cookie which will contain something like login time + HMAC. That will be checked on each access, and updated whenever the server feels like updating the secret.
2006-02-14T02:29:25 <starshine> hm, you don't want any check back in and make sure they're still permitted?
2006-02-14T02:29:48 <nwp> Can time out cookie as desired + force relogin using LDAP
2006-02-14T02:30:06 <nwp> but that will sour user experience somewhat, so probably only overnight or so for me
2006-02-14T02:30:14 <nwp> but that can easily be configurable
2006-02-14T02:30:37 <nwp> the hard bit will be updating the secret "properly"
2006-02-14T02:30:40 <starshine> you want this to expire and relight quietly like dhcp leases? or expire and relight noisly?
2006-02-14T02:31:02 <nwp> I think the cookie expiring and the secret expiring should probably be separate
2006-02-14T02:31:17 <nwp> so the secret can expire and be updated several times before the user gets booted
2006-02-14T02:31:36 <nwp> and if desired the user can never be booted, but the secret is still updated regularly
2006-02-14T02:31:45 <starshine> right. so moin has an access cookie (with recognizer) and that also notes an ldap match
2006-02-14T02:32:35 <starshine> maybe once every (leasetime) moin checks the ldap for its new code even if not visited sooner to ask after a login
2006-02-14T02:32:36 <nwp> well, the user will only ever be given a cookie if they have successfully authenticated in some way. Exactly how can depend on which auth modules they have enabled on the server.
2006-02-14T02:32:56 <starshine> lemme turn the model upside down then
2006-02-14T02:33:16 <starshine> moin doesn't gen a cookie, moin trusts ldap to *give* it a cookie, which it then notes and uses.
2006-02-14T02:33:27 <starshine> like um, ip connection tracking during NAT.
2006-02-14T02:33:43 <nwp> can't do that; we have no control over the LDAP. And the cookies wouldn't be portable between initial auth methods
2006-02-14T02:33:58 <nwp> all we can do with LDAP is auth
2006-02-14T02:34:05 <starshine> drat.
2006-02-14T02:34:15 <nwp> I'm not sure we can even get user realname from the same LDAP server we auth against
2006-02-14T02:34:27 <starshine> that's a bit ugly :/
2006-02-14T02:34:34 <nwp> simple, though
2006-02-14T02:34:50 <nwp> or modular, at least
2006-02-14T02:35:04 <starshine> is it required to keep their moin-options in ldap or do you want that kept at the moin side?
2006-02-14T02:35:10 <nwp> moin-side
2006-02-14T02:35:37 <nwp> can't keep anything at all in LDAP, can only check auth + possibly if we're lucky retrieve realname
2006-02-14T02:35:52 <starshine> ok that makes it no different than what I did with aktiv, then
2006-02-14T02:36:39 <starshine> I hackd the "pw" logic so aktiv-based users got a flag instead of a hash for their pw, one that said "this is not a real login, you have to ask aktiv"
2006-02-14T02:37:05 <starshine> I did not know at the time I was making that, if they'd want to have both kinds of user, and I needed to keep the option open.
2006-02-14T02:37:18 <nwp> it works at the moment (and ThomasWaldmann's new bits to retrieve realname will improve it), but it'll be better when we're not storing pw hashes on the moin server
2006-02-14T02:37:32 <starshine> well that's exactly what
2006-02-14T02:38:14 <starshine> I didn't want the pw typed to even touch disk if I could avoid it; I went straight to "is this guy ok"
2006-02-14T02:39:16 <starshine> so a pool kept seperately of "recognized" info
2006-02-14T02:40:00 <starshine> some fake-pw-hash only good for this cookie, a timeout-on-the-lease, maybe which-ldap-auth'd in case of scale later
2006-02-14T02:40:37 <starshine> that way the recognizer info can be toasted in timely fashion and the boring options e.g. I like ruleta theme, kept intact
2006-02-14T02:45:50 <starshine> such a "recognizer" could be just as good for people whose hash *are* stored moin-side; their real pw-has doesn't get put in the cookie, only used that first time to ok creating the recognizer.
2006-02-14T02:46:06 <nwp> actually yes. it would make sense to separate moin-cookie's pref-remembering from its pw-checking
2006-02-14T02:46:19 <nwp> or it might, at least
2006-02-14T02:46:38 <starshine> we'll see what the guys think of the logs of this :)
2006-02-14T02:47:10 <nwp> I'll probably just write something when I have finished with everything else - it's easier to show what you mean in code than in irc ;-)
2006-02-14T02:47:23 <starshine> heh
2006-02-14T02:47:44 <starshine> is a sample of the code you're talking about already in moin?
2006-02-14T02:48:03 <starshine> I can attempt to code up the aktiv edition; they're on 1.3x until I do, anyway.
2006-02-14T02:48:21 <nwp> not really. the ldap bit for first-time login was on the wiki somewhere, and ThomasWaldmann has now done something similar but extended to go in.
2006-02-14T02:48:48 <starshine> yeah he's got someone specific wanting it :)
2006-02-14T02:48:54 <nwp> So I was going to wait for that and then see what he's done that breaks in our environment, what he's done that is A+ super-useful, and so on
2006-02-14T02:49:07 <nwp> I expect I'll need to make some of it more generic
2006-02-14T02:49:27 <nwp> but I really don't know what he's done about sessions
2006-02-14T02:49:33 <starshine> ok, I'll wait til he & I are both in and see what he has then
2006-02-14T02:50:03 <starshine> it'd be a nice fetaher in my cap to see that so clean
2006-02-14T02:50:15 <starshine> the last was such a rush job.
2006-02-14T02:50:21 <nwp> I hate that
2006-02-14T02:50:33 <nwp> when you can see what you should be doing better but have no time for
2006-02-14T02:50:37 <starshine> it paid off in a lot of senses.
2006-02-14T02:50:58 <starshine> we met the deadline and moin's acl saved the day :D
2006-02-14T02:51:40 <nwp> problem is $client never wants to pay for tidyup afterwards. Even if it is going to save them $$$ next time they want changes done
2006-02-14T02:51:50 <nwp> or reduce their lock-in to you
2006-02-14T02:52:54 <starshine> it's python, I tried to make it more readable than *that* :D
2006-02-14T02:53:18 <nwp> :-P
2006-02-14T02:53:44 <nwp> I need to know how to do a "thorn" character. It would make a much better part of that smiley
2006-02-14T02:56:05 <starshine> nwp: you use screen?
2006-02-14T02:56:15 <nwp> xchat at the moment
2006-02-14T02:56:19 <starshine> :ΓΈ
2006-02-14T02:56:45 <starshine> oh, I dunno if xchat has compose chars or not.
2006-02-14T02:56:46 <nwp> and I've only just set up this workstation and I'm not sure what I have set as compose_key
2006-02-14T02:57:14 <nwp> :-?
2006-02-14T02:57:17 <nwp> wee!
2006-02-14T02:57:20 <starshine> for some reason ^v is really common
2006-02-14T02:57:44 <nwp> I set it to numlock because macs seem to treat left and right command and alt keys the same
2006-02-14T02:57:57 <nwp> and this keyboard only labels that key as "clear"
2006-02-14T02:58:16 <nwp> :-?
2006-02-14T02:58:19 <starshine> you on a ppc unix ?
2006-02-14T02:58:20 <nwp> cool :-)
2006-02-14T02:58:24 <nwp> OS X
2006-02-14T02:58:30 <starshine> :)
2006-02-14T02:58:31 <nwp> so yeah
2006-02-14T02:58:47 <starshine> did my thorn come out to you? yours came out ? to me
2006-02-14T02:58:59 <nwp> which was yours?
2006-02-14T02:59:22 <nwp> I think I got a scandinavian crossed-out o
2006-02-14T02:59:40 <nwp> ?
2006-02-14T02:59:43 <nwp> one of those
2006-02-14T03:00:23 <nwp> I'm sure xorAxAx will do his nut when he sees us this far OT ;-)
2006-02-14T07:04:39 <xorAxAx> nwp: i will even go nuts :)
2006-02-14T07:04:54 <xorAxAx> ThomasWaldmann: i solved the anon bind by binding with the credentials i got
2006-02-14T07:05:13 <xorAxAx> ThomasWaldmann: doesnt really work in every env but is quite nice to solve this problem :)
2006-02-14T07:06:05 <xorAxAx> ThomasWaldmann: how is that one hour thing implemented?
2006-02-14T07:06:14 <xorAxAx> will we have a session system?
2006-02-14T07:33:00 <starshine> xorAxAx: hm, good point, if we split sessions from the abilities of a user, what do we do for "remember me forever" ?
2006-02-14T07:33:29 <starshine> .o( not a hard question, just making sure it goes in the checklist
2006-02-14T08:07:22 <ThomasWaldmann> xorAxAx: i recently modified the cookie to get re-set on every request, with now+cookie_lifetime expiry
2006-02-14T08:07:53 <ThomasWaldmann> and the minimum value for it is 1
2006-02-14T08:07:58 <ThomasWaldmann> hour
2006-02-14T09:08:03 <xorAxAx> ThomasWaldmann: ah
2006-02-14T09:08:14 <xorAxAx> ThomasWaldmann: and you cannot turn that off? thats a bug :)
2006-02-14T09:08:22 <xorAxAx> (and its not a session system :))
2006-02-14T10:06:54 <xorAxAx> ThomasWaldmann: why is the load so high?
2006-02-14T10:07:12 <xorAxAx> ThomasWaldmann: are you sure that the no. of crawlers increased? or might it be the new code handling it?
2006-02-14T10:08:10 <xorAxAx> ThomasWaldmann: twisted doesnt answer
2006-02-14T10:08:25 <xorAxAx> as i expected, this doesnt work with twisted ....
2006-02-14T15:44:46 <xorAxAx> total = 18.810s
2006-02-14T17:33:00 <xorAxAx> + * [wiki: _fcksavedurl=:http://moinmoin.wikiwikiweb.de/wiki/applets/FCKeditor/editor/
2006-02-14T17:33:03 <xorAxAx> LinuxWiki.de] - Linux and Free Software
2006-02-14T17:33:06 <xorAxAx> + * [wiki: _fcksavedurl=:http://moinmoin.wikiwikiweb.de/wiki/applets/FCKeditor/editor/
2006-02-14T17:33:09 <xorAxAx> pythonwiki.de] - Python
2006-02-14T17:33:11 <xorAxAx> + * [wiki: _fcksavedurl=:http://moinmoin.wikiwikiweb.de/wiki/applets/FCKeditor/editor/
2006-02-14T17:33:14 <xorAxAx> JuraWiki.de] - about law, jurisdiction, rights and related stuff
2006-02-14T21:41:09 <nwp> xorAxAx: thought you were nuts already... ;-)
2006-02-14T21:41:46 <xorAxAx> nwp: hmm, right. in this case, it doesnt make a difference
2006-02-14T21:48:56 <dreimark> xorAxAx
2006-02-14T21:49:06 <xorAxAx> dreimark:
2006-02-14T21:49:22 <dreimark> looks like moinmoin is very slow or?
2006-02-14T21:49:29 <dreimark> I can't save till minutes
2006-02-14T21:49:39 <xorAxAx> yeah, its b0rked
2006-02-14T21:49:42 <xorAxAx> for ~ 24 h
2006-02-14T21:49:55 <xorAxAx> i am not an admin on that machine :)
2006-02-14T21:50:44 <dreimark> I know did you get a timetable?
2006-02-14T21:53:25 <xorAxAx> timetable?
2006-02-14T21:56:42 <xorAxAx> dreimark: ?
2006-02-14T21:58:09 <dreimark> Probably some informations when it goes back to fullspeed or is it of course of a DOS attack
2006-02-14T21:58:44 <xorAxAx> dreimark: i have no idea, thomas didnt even react when i told him yesterday that twisted behaves weirdly
2006-02-14T21:59:15 <xorAxAx> and that it is getting slower and slower
2006-02-14T22:04:08 <xorAxAx> i can just see that the system is mainly doing IO
2006-02-14T22:04:15 <xorAxAx> so maybe the RAID is down etc.
2006-02-14T22:10:58 <dreimark> I'll keep my fingers crossed and do hope that is not again a filesystem crash
2006-02-14T22:11:32 <xorAxAx> i dont think so
2006-02-14T22:11:50 <xorAxAx> twisted is stalled because of recent code changes
2006-02-14T22:12:02 <xorAxAx> and twisted cannot raise the load to 3
2006-02-14T22:12:35 <xorAxAx> (python can only run one thread at one time ) but i am not root, i can only guess
2006-02-14T22:32:05 <dreimark> don't like to miss this
2006-02-14T22:33:02 <dreimark> if os.path.join is used probably it should be checked if if .encode(config.charset) is needed too
2006-02-14T22:33:52 <xorAxAx> just for attachments
2006-02-14T22:34:12 <xorAxAx> they are encoded in utf-8, i.e. you will see ugly chars using ls
2006-02-14T22:34:28 <dreimark> wikiaction.py
2006-02-14T22:34:40 <xorAxAx> line?
2006-02-14T22:35:19 <dreimark> 326
2006-02-14T22:37:40 <dreimark> filepath = os.path.join(page_dir, filename)
2006-02-14T22:37:41 <ThomasWaldmann> moin
2006-02-14T22:38:11 <xorAxAx> can you submit a tested patch, dreimark?
2006-02-14T22:38:25 <xorAxAx> there is a function to get the filename of an attachment file IIRC
2006-02-14T22:38:32 <xorAxAx> ThomasWaldmann: can you fix twisted please?
2006-02-14T22:42:42 <dreimark> tommorrow, it is the same problem that RuxLi got with ImageLink
2006-02-14T22:43:36 <xorAxAx> ok
MoinMoin: MoinMoinChat/Logs/moin-dev/2006-02-14 (last edited 2007-10-29 19:13:49 by localhost)
