Discussion:
b-k amputation :)
Luis Correia
2008-06-25 16:57:50 UTC
Permalink
Hi all,

I'm back from vacations (my apologies for all that aren´t there yet).

One of my first tasks with the creation of our evolution+brutus setup,
is the need to remove (amputate) the request for a keyring password.
As I said before, the user cannot be bothered with it.

Which comes to this: b-k can ask for the domain password, but either
will have a builtin password or no password at all to access it's
keyring.

This may sound a security issue, but here, it's the least of our problems.

So, my humble request is asking if it is feasible to bypass this,
maybe with some ifdef pairs. If it seems too silly to implement, we'll
manage it ourselves with patches.

Thanks for reading.

Luis Correia
Jules Colding
2008-06-25 18:41:39 UTC
Permalink
Hi Luis,

Welcome back ;-)
Post by Luis Correia
Hi all,
I'm back from vacations (my apologies for all that aren´t there yet).
One of my first tasks with the creation of our evolution+brutus setup,
is the need to remove (amputate) the request for a keyring password.
As I said before, the user cannot be bothered with it.
Which comes to this: b-k can ask for the domain password, but either
will have a builtin password or no password at all to access it's
keyring.
This may sound a security issue, but here, it's the least of our problems.
So, my humble request is asking if it is feasible to bypass this,
maybe with some ifdef pairs. If it seems too silly to implement, we'll
manage it ourselves with patches.
OK, I've been occupied by other things since you went on vacation, so
let me start all over.

What you want is to make e-b connect to Exchange without the user
having to enter a password, right?

A password is obviously needed for the connection to succeed, so e-b
much get the password from:

1) A pass-phrase-less keyring

or

2) some other place

in order of getting your wish fulfilled.

You must either hack b-k to store passwords and other secrets with
much less security or provide an additional password source for e-b. I
would recommend the latter option due to the obvious security
implications of a pass-phrase-less keyring. The place to hook into is
brutus_get_password():

http://trac.42tools.net/evolution-brutus/browser/trunk/server/brutus_util.c#L554

Every single e-b component (email, calendar, tasks etc) go to this
function for the Windows password. Let me know your thoughts.

Best regards,
jules


PS: I'll take a look at your other mail tomorrow.
Luis Correia
2008-06-26 08:24:44 UTC
Permalink
Hi Jules,
Post by Jules Colding
Hi Luis,
Welcome back ;-)
Post by Luis Correia
Hi all,
I'm back from vacations (my apologies for all that aren´t there yet).
One of my first tasks with the creation of our evolution+brutus setup,
is the need to remove (amputate) the request for a keyring password.
As I said before, the user cannot be bothered with it.
Which comes to this: b-k can ask for the domain password, but either
will have a builtin password or no password at all to access it's
keyring.
This may sound a security issue, but here, it's the least of our problems.
So, my humble request is asking if it is feasible to bypass this,
maybe with some ifdef pairs. If it seems too silly to implement, we'll
manage it ourselves with patches.
OK, I've been occupied by other things since you went on vacation, so
let me start all over.
What you want is to make e-b connect to Exchange without the user
having to enter a password, right?
A password is obviously needed for the connection to succeed, so e-b
1) A pass-phrase-less keyring
This is my preferred option.
(yes, it is the less secure option, but we have far more serious
issues in here like people writing their passwords on post-it notes or
below the keyboard)

Seriously, it is a compromise I'm confortable with. My manager has the
same opinion.

This would not be there for ever and ever, it's just a compromise
solution until we can come up with something better.
Post by Jules Colding
or
2) some other place
If we could make use of the SingleSignOn solution provided by
Likewise, all would be a lot easier.
Post by Jules Colding
in order of getting your wish fulfilled.
You must either hack b-k to store passwords and other secrets with
much less security or provide an additional password source for e-b. I
would recommend the latter option due to the obvious security
implications of a pass-phrase-less keyring. The place to hook into is
http://trac.42tools.net/evolution-brutus/browser/trunk/server/brutus_util.c#L554
Every single e-b component (email, calendar, tasks etc) go to this
function for the Windows password. Let me know your thoughts.
Best regards,
jules
PS: I'll take a look at your other mail tomorrow.
_______________________________________________
brutus mailing list
http://www.42tools.com/mailman/listinfo/brutus
Luis Correia
Jules Colding
2008-06-26 09:25:39 UTC
Permalink
Hi Luis,
Post by Luis Correia
Post by Jules Colding
Post by Luis Correia
Hi all,
I'm back from vacations (my apologies for all that aren´t there yet).
One of my first tasks with the creation of our evolution+brutus setup,
is the need to remove (amputate) the request for a keyring password.
As I said before, the user cannot be bothered with it.
Which comes to this: b-k can ask for the domain password, but either
will have a builtin password or no password at all to access it's
keyring.
This may sound a security issue, but here, it's the least of our problems.
So, my humble request is asking if it is feasible to bypass this,
maybe with some ifdef pairs. If it seems too silly to implement, we'll
manage it ourselves with patches.
OK, I've been occupied by other things since you went on vacation, so
let me start all over.
What you want is to make e-b connect to Exchange without the user
having to enter a password, right?
A password is obviously needed for the connection to succeed, so e-b
1) A pass-phrase-less keyring
This is my preferred option.
(yes, it is the less secure option, but we have far more serious
issues in here like people writing their passwords on post-it notes or
below the keyboard)
Doh...
Post by Luis Correia
Seriously, it is a compromise I'm confortable with. My manager has the
same opinion.
OK.
Post by Luis Correia
This would not be there for ever and ever, it's just a compromise
solution until we can come up with something better.
It is fairly easy to hack b-k to not use a passphrase. The problem is
more that b-k clients know that they must provide a passphrase so they
dutifully pop up a dialog asking for it. They way to go about it is
there to persuade e-b to get the password from somewhere else.
Post by Luis Correia
Post by Jules Colding
or
2) some other place
If we could make use of the SingleSignOn solution provided by
Likewise, all would be a lot easier.
This seems like the way to go. I've no time to work on this in my
spare time but you are welcome to ask you boss to fund the work.

I'm doing everything I can to help on the list for free, but helping
other companies with Brutus related stuff is what our company
(42tools) do as we need to generate some revenue :-)

Alternatively, if you send me a patch I'm more than happy to review it
for inclusion in e-b.

Best regards,
jules
Luis Correia
2008-06-26 09:32:07 UTC
Permalink
Hi Jules,
Post by Jules Colding
Hi Luis,
[snip]
Post by Jules Colding
Post by Luis Correia
This is my preferred option.
(yes, it is the less secure option, but we have far more serious
issues in here like people writing their passwords on post-it notes or
below the keyboard)
Doh...
Post by Luis Correia
Seriously, it is a compromise I'm confortable with. My manager has the
same opinion.
OK.
Post by Luis Correia
This would not be there for ever and ever, it's just a compromise
solution until we can come up with something better.
It is fairly easy to hack b-k to not use a passphrase. The problem is
more that b-k clients know that they must provide a passphrase so they
dutifully pop up a dialog asking for it. They way to go about it is
there to persuade e-b to get the password from somewhere else.
Ok, I see and agree with your point.

I'll see what I can do in order to make e-b use some other type of
auth (SSO is the best one).
Post by Jules Colding
Post by Luis Correia
Post by Jules Colding
or
2) some other place
If we could make use of the SingleSignOn solution provided by
Likewise, all would be a lot easier.
This seems like the way to go. I've no time to work on this in my
spare time but you are welcome to ask you boss to fund the work.
I'm doing everything I can to help on the list for free, but helping
other companies with Brutus related stuff is what our company
(42tools) do as we need to generate some revenue :-)
I can also consider that option, but not right now. :)
Post by Jules Colding
Alternatively, if you send me a patch I'm more than happy to review it
for inclusion in e-b.
Ok, i'll do that is I need to.
Post by Jules Colding
Best regards,
jules
and thanks for providing a TRUE alternative to Outlook+Exchange :)

Luis Correia
Jules Colding
2008-06-26 09:36:45 UTC
Permalink
Post by Luis Correia
Hi Jules,
On Thu, Jun 26, 2008 at 10:25 AM, Jules Colding
Post by Jules Colding
It is fairly easy to hack b-k to not use a passphrase. The problem is
more that b-k clients know that they must provide a passphrase so they
dutifully pop up a dialog asking for it. They way to go about it is
there to persuade e-b to get the password from somewhere else.
Ok, I see and agree with your point.
I'll see what I can do in order to make e-b use some other type of
auth (SSO is the best one).
Post by Jules Colding
Post by Luis Correia
Post by Jules Colding
or
2) some other place
If we could make use of the SingleSignOn solution provided by
Likewise, all would be a lot easier.
This seems like the way to go. I've no time to work on this in my
spare time but you are welcome to ask you boss to fund the work.
I'm doing everything I can to help on the list for free, but helping
other companies with Brutus related stuff is what our company
(42tools) do as we need to generate some revenue :-)
I can also consider that option, but not right now. :)
Post by Jules Colding
Alternatively, if you send me a patch I'm more than happy to review it
for inclusion in e-b.
Ok, i'll do that is I need to.
Post by Jules Colding
Best regards,
jules
and thanks for providing a TRUE alternative to Outlook+Exchange :)
Thanks ;-)
jules
Luis Correia
2008-06-27 14:40:51 UTC
Permalink
Hi!
Post by Jules Colding
Post by Luis Correia
Hi Jules,
On Thu, Jun 26, 2008 at 10:25 AM, Jules Colding
Post by Jules Colding
It is fairly easy to hack b-k to not use a passphrase. The problem is
more that b-k clients know that they must provide a passphrase so they
dutifully pop up a dialog asking for it. They way to go about it is
there to persuade e-b to get the password from somewhere else.
Ok, I see and agree with your point.
I'll see what I can do in order to make e-b use some other type of
auth (SSO is the best one).
Post by Jules Colding
Post by Luis Correia
Post by Jules Colding
or
2) some other place
If we could make use of the SingleSignOn solution provided by
Likewise, all would be a lot easier.
This seems like the way to go. I've no time to work on this in my
spare time but you are welcome to ask you boss to fund the work.
I'm doing everything I can to help on the list for free, but helping
other companies with Brutus related stuff is what our company
(42tools) do as we need to generate some revenue :-)
I can also consider that option, but not right now. :)
Post by Jules Colding
Alternatively, if you send me a patch I'm more than happy to review it
for inclusion in e-b.
Ok, i'll do that is I need to.
Post by Jules Colding
Best regards,
jules
and thanks for providing a TRUE alternative to Outlook+Exchange :)
Thanks ;-)
jules
got a reply from Likewise, although it is a bit cryptic :)

--
Luis,
My impression is that likewise-open is a plumbing application. In
other words, we setup the system files necessary for higher
lvl applications to perform krb5 auth. There is not a currently
stress tested API in the current release but have a look at
the wbclient.h file and libwbclient (Same as what we are shipping
in Samba 3.2)
This assumes that you want to utilize the domain auth portion and
not hook into the domain join process. If the latter, it's a
different discussion.
cheers, jerry
--
the SSO piece is primarly kerberos. Write your application for
kerberos and you should be golden.
-BC
--

Jules, does this many any sense to you?

Luis
Jules Colding
2008-06-27 14:56:32 UTC
Permalink
Hi,

On 27/06/2008, at 16.40, Luis Correia wrote:

<snip>
Post by Luis Correia
got a reply from Likewise, although it is a bit cryptic :)
--
Luis,
My impression is that likewise-open is a plumbing application. In
other words, we setup the system files necessary for higher
lvl applications to perform krb5 auth. There is not a currently
stress tested API in the current release but have a look at
the wbclient.h file and libwbclient (Same as what we are shipping
in Samba 3.2)
This assumes that you want to utilize the domain auth portion and
not hook into the domain join process. If the latter, it's a
different discussion.
cheers, jerry
--
the SSO piece is primarly kerberos. Write your application for
kerberos and you should be golden.
-BC
--
Jules, does this many any sense to you?
Not really ;-)

It seems that they think we should just go with kerberos and that
likewise isn't really appropriate to use. I'm not familiar with
kerberos and I do not foresee any spare time in the near future to
look into it. I think it is at least a weeks work, but I may be very
wrong about that. I can hopefully get enough time when we're into
early 2009, but I'm too busy until then.

Best regards,
jules

Loading...