Comments (7)
pkern
commented on May 17, 2024
It's probably worth pointing out that @delroth wrote https://github.com/delroth/glome-login-authorize/blob/master/glome-login-authorize.py as a hacky way of generating authorizing tags from the URL.
from glome.
vvidic
commented on May 17, 2024
It seems like pam-auth-update only updates /etc/pam.d/common-* so it might not be possible to modify /etc/pam.d/login (owned by login package). Maybe it would be better to ship the module in a disabled state. Admins can than configure and enable it manually only for login or use debconf to configure and enable it for all services. For example /usr/share/pam-configs/yubico:
Name: Yubico authentication with YubiKey
Default: no
Priority: 704
Auth-Type: Primary
Auth:
required pam_yubico.so mode=client try_first_pass id=N key=K
Auth-Initial:
required pam_yubico.so mode=client try_first_pass id=N key=K
from glome.
pkern
commented on May 17, 2024
Admins can than configure and enable it manually only for login or use debconf to configure and enable it for all services.
I'd be fine with that as well - PAM is often something that the local sysadmin needs to configure to their liking. Although to note what we are looking for is effectively using pam_glome.so with sufficient, so that there are no further checks. pam_yubico.so is also documented in the same way, so I'm a little surprised about the required in the Debian config.
from glome.
vvidic
commented on May 17, 2024
On Fri, May 28, 2021 at 12:29:45PM -0700, Philipp Kern wrote:
We should actually go and design how glome-login is supposed to be used - with integration into Debian/Ubuntu as an example. I'd suggest the following:
* We could go with `glome login sign`/`tag` - or `glome-login sign`, I
don't really care. But it also turns out that we do not have URL
decomposition in C yet, which would be somewhat useful to feed URLs
into. Basically I think it'd be great to have a CLI that takes the
private key file as an argument and parses everything from the `/v1/`
to the end and generates the appropriate tag to login with.
I have a working `glome login` command in C now, just need to clean it
up a bit and will send for review.
…--
Valentin
from glome.
vvidic
commented on May 17, 2024
On Fri, May 28, 2021 at 12:29:45PM -0700, Philipp Kern wrote:
Additionally there should be commands alike `wg genkey` and `wg
pubkey` that DTRT. Then we'd be at the same technical level as
Wireguard, where you still need to put those keys into the appropriate
places in the config file - although we'd still ship an example config
with the keys commented out. Technically this could also be written in
a language different from C. I think from a distro point of view I'd
weakly prefer it to be Python or C rather than Go.
Seems like wg just dumps the key to base64 or hex so that should be
simple enough:
```
#define WG_KEY_LEN_BASE64 ((((WG_KEY_LEN) + 2) / 3) * 4 + 1)
#define WG_KEY_LEN_HEX (WG_KEY_LEN * 2 + 1)
void key_to_base64(char base64[static WG_KEY_LEN_BASE64], const uint8_t key[static WG_KEY_LEN]);
bool key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64);
void key_to_hex(char hex[static WG_KEY_LEN_HEX], const uint8_t key[static WG_KEY_LEN]);
bool key_from_hex(uint8_t key[static WG_KEY_LEN], const char *hex);
bool key_is_zero(const uint8_t key[static WG_KEY_LEN]);
```
…--
Valentin
from glome.
burgerdev
commented on May 17, 2024
Looks like we're done here after we get a printable public key, correct?
from glome.
vvidic
commented on May 17, 2024
Also we have till the end of the year to create a package for the next Debian stable release, which should be doable I think.
from glome.
Related Issues (20)
- Key material should have a consistent and safe format HOT 2
- glome-login config file cannot be 'special' HOT 1
- glome-login leaving an extra newline in the input buffer before returning? HOT 2
- CLI should handle tags as base64 instead of hex
- Support more fleet-wide settings in the config file HOT 5
- GLOME Login assumes that challenge is an URL HOT 1
- More user-friendly landing README HOT 1
- PAM module arguments naming is inconsistent with the config HOT 2
- OpenSSL's HMAC API is deprecated in 3.x
- Build fails on NixOS
- Github Actions not triggering on PR HOT 1
- Implement RFD001 (GLOME Login v2)
- Implement support for v2 in Go and Python (keeping v1 support to grant users a transition period).
- Switch CLI, C library and binary to v2, dropping v1 support HOT 1
- Document the new protocol.
- Drop v1 support in Go and Python. HOT 1
- Improve documentation of `glome.h`
- Add Go GLOME config file parsing
- golang ParseURLResponse function does not handle URLs correctly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from glome.