sso issueshttps://git.autistici.org/ai/sso/-/issues2017-07-21T13:51:05Zhttps://git.autistici.org/ai/sso/-/issues/13censimento dei siti web ospitati.2017-07-21T13:51:05Zputrocensimento dei siti web ospitati.### Author: void, Date: 2015-09-29.14:15:53
è necessario un censimento di tutti i siti web ospitati (subsites e virtualhosts), per identificare siti vuoti, inattivi, o cms abbandonati che necessitano aggiornamento (o staticizzazione).
...### Author: void, Date: 2015-09-29.14:15:53
è necessario un censimento di tutti i siti web ospitati (subsites e virtualhosts), per identificare siti vuoti, inattivi, o cms abbandonati che necessitano aggiornamento (o staticizzazione).
ldapsearch -x -LLL '(&(objectClass=subSite))' alias parentsite
ldapsearch -x -LLL '(&(objectClass=virtualHost))' cn
da questa lista si possono scremare subito i DirectoryIndex di apache e tutti i siti vuoti (trovare lo script!),
per i rimanenti completare un'applicazione web del tipo http://autistici.org/void/ai-web-curator per esplorare manualmente i siti e salvarne lo stato (con note etc) in un db temporaneo.https://git.autistici.org/ai/sso/-/issues/12passare ad ai-sso per tutti i login degli utenti2017-07-21T12:15:20Zputropassare ad ai-sso per tutti i login degli utenti### Author: shammash, Date: 2013-05-15.23:16:35
La cosa è un poco complessa perché purtroppo la webmail DEVE sapere la password
dell'utente per potersi connettere via IMAP... se uno si fida molto di ai-sso però
si potrebbe fare in mod...### Author: shammash, Date: 2013-05-15.23:16:35
La cosa è un poco complessa perché purtroppo la webmail DEVE sapere la password
dell'utente per potersi connettere via IMAP... se uno si fida molto di ai-sso però
si potrebbe fare in modo che Dovecot accetti i token SSO al posto delle password,
risolvendo il problema.
ai-sso comunque adesso supporta il concetto di gruppi, anche se per implementarlo
definitivamente (per via del fatto che non esiste un gruppo utenti in LDAP)
bisognerebbe scrivere il modulo di autenticazione per il server SSO.
questo risolverebbe anche la questione pallosa dell'interazione tra pannello,
helpdesk, services eccetera.https://git.autistici.org/ai/sso/-/issues/11ai-sso-server non deve girare come root2017-07-18T17:46:27Zputroai-sso-server non deve girare come root### Author: shammash, Date: 2013-11-10.18:33:15
In /etc/init.d/ai-sso-server c'e`
USER=ai-sso
Ma poi in /etc/defaults/ai-sso-server c'e`
USER=root
Forse il server deve leggersi un po' di cose che solo root puo` leggere. In ogni caso...### Author: shammash, Date: 2013-11-10.18:33:15
In /etc/init.d/ai-sso-server c'e`
USER=ai-sso
Ma poi in /etc/defaults/ai-sso-server c'e`
USER=root
Forse il server deve leggersi un po' di cose che solo root puo` leggere. In ogni caso sarebbe carino che dopo aver letto quelle cose all'inizio si mettesse a girare come utente ai-sso.
### Author: shammash, Date: 2013-11-10.18:42:26
>
18:37 <&_ale> dunque, sso-server deve poter leggere /etc/.am_pe per autenticarsi a machdb, a parte quello (che si puo' risolvere altrimenti) dovrebbe poter girare con qualsiasi utente (a patto che poi cambiamo i permessi della chiave privata, ma quella la legge solo lui)https://git.autistici.org/ai/sso/-/issues/10Allow endpoints to authenticate IDP reply2018-09-09T17:00:30ZaleAllow endpoints to authenticate IDP replyQuoting azul:
Let me try to clarify the idea.
1) you visit protected endpoint. Endpoint creates a session the way it
usually does. This needs to be tamper resistant (for example signed or
content on the server, only session_id in the co...Quoting azul:
Let me try to clarify the idea.
1) you visit protected endpoint. Endpoint creates a session the way it
usually does. This needs to be tamper resistant (for example signed or
content on the server, only session_id in the cookie). In this session
it stores a nonce. It also adds the nonce to the redirect url.
2) Idp extracts the nonce from the url and includes it in the ticket.
(pretty much like service param now)
3) Protected Endpoint compares the nonce in the ticket (request url) to
the one in the session (request cookie).
In an attempt to take over the targets account an attacker can maybe
figure out the nonce from the redirect url in 3). But since the session
is tamper resistant they cannot set their own nonce. The only way to do
that would be to steal the cookie from the target - but if they can do
that they can take over their session anyway.
In an attempt to log the other user into their own account they would
have to set a cookie in the targets browser that maps to a session with
a matching nonce. If they can seed cookies in the targets browser they
can inject a session anyway.alealehttps://git.autistici.org/ai/sso/-/issues/9Switch to urlsafe base64 encoding2018-09-09T17:00:30ZaleSwitch to urlsafe base64 encodingIt would be nice to avoid having to perform further escaping down the line.It would be nice to avoid having to perform further escaping down the line.alealehttps://git.autistici.org/ai/sso/-/issues/8Debian package upgrade leaves service in failed state2018-09-09T17:00:30ZaleDebian package upgrade leaves service in failed stateAfter an upgrade of the Debian package, the ai-sso-server.service systemd unit is in a failed state:
● ai-sso-server.service - AI SSO Server
Loaded: loaded (/lib/systemd/system/ai-sso-server.service; disabled)
Drop-...After an upgrade of the Debian package, the ai-sso-server.service systemd unit is in a failed state:
● ai-sso-server.service - AI SSO Server
Loaded: loaded (/lib/systemd/system/ai-sso-server.service; disabled)
Drop-In: /etc/systemd/system/ai-sso-server.service.d
└─role-ring0.conf
Active: failed (Result: exit-code) since Sun 2016-12-25 22:09:21 UTC; 2min 48s ago
Main PID: 29523 (code=exited, status=0/SUCCESS)
Dec 25 22:09:21 evasione systemd[8775]: Failed at step NAMESPACE spawning /bin/kill: Operation not permitted
Dec 25 22:09:21 evasione systemd[1]: ai-sso-server.service: control process exited, code=exited status=226
Dec 25 22:09:21 evasione gunicorn: maste[29523]: sso_server[29523] INFO: Handling signal: term
Dec 25 22:09:21 evasione gunicorn: maste[29523]: sso_server[29523] INFO: Handling signal: term
Dec 25 22:09:21 evasione gunicorn: worke[29529]: sso_server[29529] INFO: Worker exiting (pid: 29529)
Dec 25 22:09:21 evasione gunicorn: worke[29529]: sso_server[29529] INFO: Worker exiting (pid: 29529)
Dec 25 22:09:21 evasione gunicorn: maste[29523]: sso_server[29523] INFO: Shutting down: Master
Dec 25 22:09:21 evasione gunicorn: maste[29523]: sso_server[29523] INFO: Shutting down: Master
Dec 25 22:09:21 evasione systemd[1]: Stopped AI SSO Server.
Dec 25 22:09:21 evasione systemd[1]: Unit ai-sso-server.service entered failed state.https://git.autistici.org/ai/sso/-/issues/5mod_sso should set X-Frame-Options2018-09-09T17:00:30Zalemod_sso should set X-Frame-OptionsSince the logout mechanism involves loading the /sso_logout service endpoint into an IFRAME, mod_sso could set the proper X-Frame-Options for increased security. We know the login service URL, so it should be possible to use the 'ALLOW-...Since the logout mechanism involves loading the /sso_logout service endpoint into an IFRAME, mod_sso could set the proper X-Frame-Options for increased security. We know the login service URL, so it should be possible to use the 'ALLOW-FROM uri' syntax in the header.https://git.autistici.org/ai/sso/-/issues/3raise priority of the sso_login and sso_logout handlers2018-09-09T17:00:30Zaleraise priority of the sso_login and sso_logout handlersIt shouldn't be necessary to exclude /sso_login and /sso_logout from the serving handlers (as done in the Apache config snippet in the documentation with the ProxyPass "!" directives).
It's possible that this could be done by setting ...It shouldn't be necessary to exclude /sso_login and /sso_logout from the serving handlers (as done in the Apache config snippet in the documentation with the ProxyPass "!" directives).
It's possible that this could be done by setting somehow the priority of the installed content handlers to something higher than mod_proxy (I haven't tested what happens in a standard setup if a file named "sso_login" is already present).