[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] Hosting an encrypted pythonic simplehttp GNUmed serv

From: Luke Kenneth Casson Leighton
Subject: Re: [Gnumed-devel] Hosting an encrypted pythonic simplehttp GNUmed server
Date: Sun, 1 Aug 2010 20:41:37 +0100

On Sun, Aug 1, 2010 at 6:56 PM, Jim Busser <address@hidden> wrote:
> On 2010-08-01, at 12:58 AM, Sebastian Hilbert wrote:
>> Now I understand where you one-time password quest comes from.
> Yes, certainly if practicality demands that you use non-owned machines to log 
> in remotely with web browser. I like to hope that the hospital machines are 
> only minimally infected but you cannot know that, for sure, either when it 
> turns out any OS has vulnerabilities with exploits found in the wild.
> Luke already quickly looked into Yubikey
>        e.g.
> and figured likely it has to go in at the postgresql level, because it's 
> postgresql that's doing the authentication, that means probably doing this as 
> PAM, because postgresql can "hand off" to underlying unix.
>  "many yubico server implementations _use_ postgresql as the back-end for 
> storage of the OTP keys."
> greaaaat.

 this was intended to be sarcastic, because as you can surmise, having
to potentially configure a postgres server which can take
non-yubico-based authentication from one source (in order to get at
the yubico keys for the purposes of the yubico server implementation
to actually like... work), and having to _also_ configure it so that
the exact same postgres server will accept yubico-authenticated users,
i just... the last time i had to deal with something like this was
with the NT Domains implementation for samba TNG, and it's nooot

 but - it _was_ a very quick look, so i could be entirely wrong: it
may actually be the case that a yucibo server isn't actually needed
when you use the yubico PAM plugin: i didn't look that closely enough
to find out.  it may be the case that you actually want *separate*
machines for the gnumed server and the yubico server (if in fact a
yubico server is needed at all) and two would neatly solve the problem
of having a truly dreadful postgresql configuration

etc. etc.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]