[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: using one time passwords with conserver?

Bryan Stansell bryan@conserver.com
Tue, 25 Jul 2006 15:25:53 -0700 (PDT)

On Tue, Jul 25, 2006 at 09:13:57AM -0400, Josh Lothian wrote:
> > removing the need for multiple passwords *might* be possible.  i could
> > see removing the need for authenticating against the master
> > process...just have it skip password stuff (which means removing a few
> > lines of code) and let the user authenticate once against the process
> > managing the console.  this would allow folks to gather data...so not
> > something i'd do for the general release (well, maybe as an option), but
> > you may not like that either.
> What sort of data could they gather?

well, the port numbers of the sub-processes, the list of conserver
hosts, the pid, and version.  you also wouldn't be able to restart,
reload, quit, etc since no authentication had been done (using the
client...you could always send the signals).

> This is kinda what we have going currently, but it's not ideal.  People
> other than our admin staff have access to the conserver host.  Some of
> the admins would also like to not have to log in to that host and
> instead use the conserver client from their desktop.

well, i'm out of ideas for now.  having conserver send the client some
sort of "token" that allows you in without authentication might be
necessary...but then you might as well just tell securid to grant every
number a 2 second, multi-use window.  neither are secure.  if you're
using ssl to encrypt things, at least you'd be fairly sure no one could
pick the data off the line and then use it to gain access.  but that
doesn't make me feel much better.

i'm beginning to believe there isn't really any nice way to handle this
without conserver being rewritten to be a single-process (threaded?)
system...and that too has it's challenges.

anyone out there good at thinking outside the box?  ;-)