[SAC] Re: [OSGeo] #103: Move main OSGeo Wiki to OSGeo infrastructure

Martin_Spott · November 2, 2007, 12:01am

On Thu, Nov 01, 2007 at 09:38:37PM -0000, OSGeo wrote:

http://openid.osgeo.org/

I certainly don't want to sound harsh. Yet I'd like to pronounce my
concern which regards running a 'critical' authentication service on a
machine that probably only very few SAC members have admin access to,
that runs on a single disk with no backup and that offers a login page
to transfer unencrypted passwords.

I acknowldege that OpenID is a nice game, maybe even a useful service.
Yet I'd propose to proceed a bit more careful when it comes to
authentication services.
Is there any OSGeo Trac ticket, has there been any discussion on
offering an OSGeo OpenID service ? I'm unable to find such thing in
OSGeo Trac.

Cheerio,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

Christopher_Schmidt1 · November 2, 2007, 12:04am

On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:

On Thu, Nov 01, 2007 at 09:38:37PM -0000, OSGeo wrote:

> http://openid.osgeo.org/

I certainly don't want to sound harsh. Yet I'd like to pronounce my
concern which regards running a 'critical' authentication service on a
machine that probably only very few SAC members have admin access to,
that runs on a single disk with no backup and that offers a login page
to transfer unencrypted passwords.

I acknowldege that OpenID is a nice game, maybe even a useful service.
Yet I'd propose to proceed a bit more careful when it comes to
authentication services.
Is there any OSGeo Trac ticket, has there been any discussion on
offering an OSGeo OpenID service ? I'm unable to find such thing in
OSGeo Trac.

http://lists.osgeo.org/pipermail/sac/2007-July/000719.html

Regards,
--
Christopher Schmidt
MetaCarta

Christopher_Schmidt1 · November 2, 2007, 12:22am

On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:

On Thu, Nov 01, 2007 at 09:38:37PM -0000, OSGeo wrote:

> http://openid.osgeo.org/

I certainly don't want to sound harsh. Yet I'd like to pronounce my
concern which regards running a 'critical' authentication service on a
machine that probably only very few SAC members have admin access to,
that runs on a single disk with no backup and that offers a login page
to transfer unencrypted passwords.

The service should be trivial to set up on any machine that has PHP +
LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
described on http://wiki.osgeo.org/index.php/OpenID/SAC .

As Frank said:

"I'm fine with leaving this on geodata.telascience.org if it is working
well there. I think Howard or I can setup openid.osgeo.org to point
there." -- http://lists.osgeo.org/pipermail/sac/2007-July/000727.html

At the time, I pointed out:

"""

I don't think that the wildcard SSL cert is set up on geodata? I
think
that this would be a requirement if it is going to be hosted there.

Note that no/few other OSGeo login services use SSL -- trac, the main
homepage, etc.
"""
-- http://lists.osgeo.org/pipermail/sac/2007-July/000729.html

(I don't think that any further discussion occured in a recorded way at
that time -- I brought it up with Howard on IRC possibly, but can't find
any reference.)

I acknowldege that OpenID is a nice game, maybe even a useful service.
Yet I'd propose to proceed a bit more careful when it comes to
authentication services.

Okay. Note that nothing has really changed in this regard:
openid.osgeo.org has been up and running since the end of July. It's not
a new service, I just actually got reminded I had set it up.

Is there any OSGeo Trac ticket, has there been any discussion on
offering an OSGeo OpenID service ? I'm unable to find such thing in
OSGeo Trac.

I did it on the mailing list instead of on trac.

Regards,
--
Christopher Schmidt
MetaCarta

Martin_Spott · November 2, 2007, 2:52pm

Hi Christopher,

On Thu, Nov 01, 2007 at 08:22:49PM -0400, Christopher Schmidt wrote:

On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:

> I certainly don't want to sound harsh. Yet I'd like to pronounce my
> concern which regards running a 'critical' authentication service on a
> machine that probably only very few SAC members have admin access to,
> that runs on a single disk with no backup and that offers a login page
> to transfer unencrypted passwords.

The service should be trivial to set up on any machine that has PHP +
LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
described on http://wiki.osgeo.org/index.php/OpenID/SAC .

Several questions come into my mind - mostly resulting from the
impression that this/your OpenID server resembles sort of a black box
at least to me .... I have to admit that I did _not_ take the time (I
simply can't affort the time) to read all the PHP sources from the
backup. Maybe you could help me to get some things clear:

1.) Where is this MySQL dump ?
2.) Why do we need a database for running the OpenID service !? Without
    having major insight into this server it tastes a bit like
    duplicating authorization data.
3.) Do you run SSL encryption on the LDAP connection when you're
    verifying users against our user directory ?
4.) Would you consider allowing HTTP SSL encryption for your OpenID
    login page ?

Note that no/few other OSGeo login services use SSL -- trac, the main
homepage, etc.

I know, this is still the case, but such deficieny doesn't really make
things better and personally I'm not very much inclined to count this
as a "very good excuse" (TM

Okay. Note that nothing has really changed in this regard:
openid.osgeo.org has been up and running since the end of July. It's not
a new service, I just actually got reminded I had set it up.

Ah, ok. Yet I'd say things should get straightened out before we start
considering the use of this OpenID service for 'critical' operations.
Personally I'd still prefer doing direct LDAP authentication at least
for OSGeo's _own_ services - and be it simply because I don't have any
experience where to start debugging when OpenID authentication fails.

Cheerio,
Martin.
P.S.: I'll be almost totally off-line over this weekend, as we won't
have internet connection at the Lelysta show.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

Christopher_Schmidt1 · November 2, 2007, 3:23pm

On Fri, Nov 02, 2007 at 03:52:47PM +0100, Martin Spott wrote:

Hi Christopher,

On Thu, Nov 01, 2007 at 08:22:49PM -0400, Christopher Schmidt wrote:
> On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:

> > I certainly don't want to sound harsh. Yet I'd like to pronounce my
> > concern which regards running a 'critical' authentication service on a
> > machine that probably only very few SAC members have admin access to,
> > that runs on a single disk with no backup and that offers a login page
> > to transfer unencrypted passwords.
>
> The service should be trivial to set up on any machine that has PHP +
> LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
> described on http://wiki.osgeo.org/index.php/OpenID/SAC .

Several questions come into my mind - mostly resulting from the
impression that this/your OpenID server resembles sort of a black box
at least to me .... I have to admit that I did _not_ take the time (I
simply can't affort the time) to read all the PHP sources from the
backup. Maybe you could help me to get some things clear:

1.) Where is this MySQL dump ?

Inside the tarball, called 'mysqldump'

2.) Why do we need a database for running the OpenID service !? Without
having major insight into this server it tastes a bit like
duplicating authorization data.

The authorization data is not stored. Instead:

* Temporary data for 'nonces' is stored, as the user moves through the
   auth process.
* Data about which sites to 'trust' is stored, so that when I login
   to a site which I have said "Trust always" to, i don't have to agree
   to trust them again.

3.) Do you run SSL encryption on the LDAP connection when you're
verifying users against our user directory ?

Yes.

4.) Would you consider allowing HTTP SSL encryption for your OpenID
login page ?

Sure! I have no problem with it, but we don't have an SSL cert for that
server, and I have absolutely *no* knowledge about (successfully)
configuring SSL certification for a website.

> Note that no/few other OSGeo login services use SSL -- trac, the main
> homepage, etc.

I know, this is still the case, but such deficieny doesn't really make
things better and personally I'm not very much inclined to count this
as a "very good excuse" (TM

I don't either, but I don't consider it a blocker in releasing the
OpenID service either.

> Okay. Note that nothing has really changed in this regard:
> openid.osgeo.org has been up and running since the end of July. It's not
> a new service, I just actually got reminded I had set it up.

Ah, ok. Yet I'd say things should get straightened out before we start
considering the use of this OpenID service for 'critical' operations.
Personally I'd still prefer doing direct LDAP authentication at least
for OSGeo's _own_ services - and be it simply because I don't have any
experience where to start debugging when OpenID authentication fails.

Sure. I understand and agree: My OpenID suggestion was under the
impression that LDAP auth was hard for technical reasons. Since it's
not, OpenID is only designed for interaction with *remote* sites --
like, for example, the MapBuilder Wiki, or MapServer Plone site, which
don't have access or technical capabilities to allow LDAP logins based
on the OSGeo LDAP directory.

Regards,
--
Christopher Schmidt
MetaCarta