IRC logs of #tryton for Wednesday, 2012-04-25 #tryton log beginning Wed Apr 25 00:00:01 CEST 2012
2012-04-25 00:30 -!- smoldersan( has left #tryton
2012-04-25 10:19 <sisalp> hello, about proteus, I found
2012-04-25 10:20 <sisalp> is it the only documentation about it ?
2012-04-25 10:21 <yangoon> sisalp there is also the README inside the repos
2012-04-25 10:24 <sisalp> yangoon: tahnk you
2012-04-25 10:24 <sisalp> so to use proteus, one must understand tryton quite deeply
2012-04-25 10:25 <sisalp> which doc should be the right starter ?
2012-04-25 10:28 <sisalp> and would the log of client-server communication be a reference source ?
2012-04-25 10:29 <yangoon> sisalp no, client<->server is jsonrpc
2012-04-25 10:29 <sisalp> yangoon: and proteus is not ?
2012-04-25 10:29 <yangoon> sisalp but you can take a look at module tryton-tools
2012-04-25 10:30 <yangoon> there is a script inside using proteus:
2012-04-25 10:30 <yangoon> and you can take a look at the scenarios in the modules
2012-04-25 10:31 <yangoon> they should be translatable quite easy
2012-04-25 10:31 <yangoon> sisalpthere is also in module tryton-tools for example
2012-04-25 10:32 <sisalp> yangoon: Thank you, I'll start there but will certainly come back ;-)
2012-04-25 10:32 <yangoon> sisalp good luck
2012-04-25 12:33 <sisalp> ce que je souhaite c'est que les tableau de la catégorie sur deviennent des élément dans la comparaison des produits sur
2012-04-25 12:34 <sisalp> par exemple : nombre d'utilisateurs ou volume disque etc...
2012-04-25 12:35 <sisalp> Sorry, mistyped in the wrong discussion, don't consider that ;-)
2012-04-25 13:27 <sharoonthomas> cedk: I am looking at Issue 342002 and I was wondering why the format for date time is '%H:%M:%S' (i might be missing something)
2012-04-25 13:27 <cedk> sharoonthomas: because it is the standard way
2012-04-25 13:28 <sharoonthomas> cedk: so this is for date time to time conversion ?
2012-04-25 13:29 <cedk> sharoonthomas: yes but I'm not sure to understand your question
2012-04-25 13:30 <sharoonthomas> cedk: to be honest i don't :P i was wondering what this patch is doing
2012-04-25 13:33 <cedk> sharoonthomas: allow to define the precision for time
2012-04-25 13:33 <sharoonthomas> cedk: from what i understand the patch allows limiting the resolution of time part in a date time/time field on the client side
2012-04-25 13:33 <cedk> sharoonthomas: yes
2012-04-25 13:35 <sharoonthomas> cedk: the problem i see is with the default fields like create_date and write_date, their precision will be reduced to the default precision ?
2012-04-25 13:35 <sharoonthomas> cedk: i see that the test case creates a record and if the resolution is lost, it should have blown up
2012-04-25 13:38 <cedk> sharoonthomas: create_date and write_date are special fields
2012-04-25 16:02 <rhubner> Hi nicoe!
2012-04-25 16:04 <nicoe> rhubner: hello
2012-04-25 16:06 <rhubner> nicoe: thanks by trust
2012-04-25 16:07 <rhubner> nicoe: We need to talk somethings to start the project
2012-04-25 16:10 <rhubner> nicoe: I'll build the stage for the development (blog, repository, correction bug) but I need to know somethings...
2012-04-25 16:13 <nicoe> Yes
2012-04-25 16:14 <rhubner> nicoe: I wonder what are the tables that store historical/logs and sample queries for these tables, this is possible?
2012-04-25 16:23 <nicoe> take a look at the module account_invoice_history
2012-04-25 16:24 <nicoe> or product_cost_history
2012-04-25 16:27 <rhubner> nicoe: I'll see it... furthermore, do you have something to talk?
2012-04-25 16:29 <nicoe> I think the first think that you should do is understand how the history work in tryton
2012-04-25 16:30 <nicoe> Then find a way represent this in the tryton client
2012-04-25 16:44 <rhubner> Ok nicoe, i'll have lunch.. thanks
2012-04-25 18:05 <sharoonthomas> cedk: Do you have a few minutes to talk about 2 factor authentication ?
2012-04-25 18:06 <cedk> sharoonthomas: ok
2012-04-25 18:06 <sharoonthomas> cedk: We get a lot of request these days for 2 factor authentication in tryton
2012-04-25 18:07 <cedk> sharoonthomas: what do yo mean?
2012-04-25 18:07 <sharoonthomas> cedk: and it is easy to manage on the server side, thanks to user and authentication being a model
2012-04-25 18:08 <sharoonthomas> cedk: but on the client side it is difficult to handle
2012-04-25 18:08 <sharoonthomas> cedk: currently we have password based authentication. We want to make it 2 factors. A password + an OTP (or something else, like pass codes, phone call, sms etc)
2012-04-25 18:12 <cedk> sharoonthomas: I don't see any advantages
2012-04-25 18:13 <sharoonthomas> cedk: well, its easy to understand because many people use weak passwords, or they use the same password everywhere or they even write down their passwords and its easy to steal
2012-04-25 18:13 <sharoonthomas> cedk: so having a second factor reduces the probability of compromising the system by half
2012-04-25 18:14 <sharoonthomas> cedk: even gmail supports two factor authentication now
2012-04-25 18:14 <cedk> sharoonthomas: so drop the first as it is insecure
2012-04-25 18:14 <sharoonthomas> cedk: then if somebody steals your key they have access
2012-04-25 18:15 <sharoonthomas> cedk: the probability of being compromised does not get reduced
2012-04-25 18:15 <cedk> sharoonthomas: it is false about gmail
2012-04-25 18:15 <nicoe> sharoonthomas:
2012-04-25 18:15 <nicoe> Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet.
2012-04-25 18:16 <nicoe> quoting Bruce Schneier
2012-04-25 18:16 <sharoonthomas> cedk:
2012-04-25 18:17 <sharoonthomas> nicoe: it works for remote logins too, we have implementations using Duo Security and yubikeys and it works flawlessly
2012-04-25 18:17 <sharoonthomas> nicoe: even our SSH logins have two factor authentication
2012-04-25 18:20 <cedk> sharoonthomas: except that it store the session in the browser for months
2012-04-25 18:20 <nicoe> of course it works, sending password out there in clear text works too. The question is : is it secure ?
2012-04-25 18:21 <nicoe> And obviously it is not as secure as people think it is
2012-04-25 18:22 <sharoonthomas> cedk: Well triton sessions are managed on server side and validity is configured by the user ?
2012-04-25 18:23 <sharoonthomas> nicoe: i did not understand the question. is it if 2 factor authentication is safer than single factor authentication (what is already there ?) i think yes is an answer for tha
2012-04-25 18:26 <cedk> sharoonthomas: for me, it is not
2012-04-25 18:26 <cedk> sharoonthomas: the security level of a system = the weak point of it
2012-04-25 18:26 <sharoonthomas> cedk: can you explain please ?
2012-04-25 18:27 <cedk> sharoonthomas: I can not it is basic logical
2012-04-25 18:28 <sharoonthomas> cedk: and the weakest point in the case of tryton is authentication
2012-04-25 18:29 <sharoonthomas> cedk: does this not add an extra step to protect it ?
2012-04-25 18:29 <cedk> smarro: don't understand
2012-04-25 18:31 <smarro> cedk: hi... what?
2012-04-25 18:31 <cedk> smarro: oups wrong completion
2012-04-25 18:31 <cedk> sharoonthomas: don't understand
2012-04-25 18:32 <sharoonthomas> cedk: from what i understand, you said that the highest security level of a system is the security of the weakest point of the system
2012-04-25 18:33 <sharoonthomas> cedk: so the weakest point in the case of tryton, is the authentication part where someone stole or guessed a username and password ?
2012-04-25 18:34 <cedk> sharoonthomas: no, the weak point is the user
2012-04-25 18:34 <cedk> sharoonthomas: if you can not trust your users, you can not authenticate them
2012-04-25 18:35 <sharoonthomas> cedk: its not a matter of trust, users of an ERP system can be anybody from the directors of the company to packers at the warehouse
2012-04-25 18:35 <cedk> sharoonthomas: security is a matter of trust
2012-04-25 18:36 <sharoonthomas> cedk: alright, so in your point of view there is no added value to a second factor of authentication ?
2012-04-25 18:37 <cedk> sharoonthomas: not that much, depends of what you want to achieve
2012-04-25 18:37 <sharoonthomas> cedk: well unlike the article nicoe sent, the goal of a second factor of authentication is to mitigate the risk of a weak password or a common password.
2012-04-25 18:38 <cedk> sharoonthomas: don't understand
2012-04-25 18:39 <nicoe> sharoonthomas: not unlike, just like the article I sent
2012-04-25 18:39 <nicoe> But it does not work whe you use an untrusted network
2012-04-25 18:39 <sharoonthomas> nicoe: cedk: why ?
2012-04-25 18:41 <nicoe> sharoonthomas: because people can still use mim attacks
2012-04-25 18:41 <nicoe> sharoonthomas: it's explained in the article
2012-04-25 18:44 <sharoonthomas> nicoe: if you are talking about MIM in the sense of stealing a tryton session, it really doesn't matter if the user has a password, 2 factor, 3 factor or even more.
2012-04-25 18:45 <sharoonthomas> nicoe: but if you are talking about MIM stealing passwords, then that problem is mitigated by 2 factor authentication
2012-04-25 18:45 <sharoonthomas> nicoe: 1. because the second token if at all entered by the user is a one time password, not valid for second use
2012-04-25 18:46 <sharoonthomas> nicoe: 2. in recent implementations, the second token is an activation from a mobile app (on smartphones), phone calls, sms etc
2012-04-25 18:50 <nicoe> So you demonstrated that it is in fact useless
2012-04-25 18:51 <cedk> sharoonthomas: what is the problem you try to solve?
2012-04-25 18:51 <sharoonthomas> nicoe: it is intact useless in mitigating MIM attacks and thats not the purpose of the two factor authentication
2012-04-25 18:52 <sharoonthomas> cedk: the problem i try to solve is: imagine that i was quick enough to read your key strokes sitting right next to you at TUL 2011 when you logged into your Tryton (username is already in cleartext), i have access to your triton db just with that
2012-04-25 18:53 <cedk> sharoonthomas: so change password often
2012-04-25 18:54 <cedk> sharoonthomas: analyse activies
2012-04-25 18:54 <sharoonthomas> cedk: exactly the required solution, but automatic in 2 factor authentication where second factor is a new password every x seconds which you don't have to remember
2012-04-25 18:54 <cedk> sharoonthomas: so just use the second password
2012-04-25 18:54 <cedk> sharoonthomas: as the first one for you is not secure
2012-04-25 18:55 <sharoonthomas> cedk: that alone doesn't solve the problem because stealing your key alone would be sufficient to gain access
2012-04-25 18:57 <cedk> sharoonthomas: so secure your key
2012-04-25 18:58 <cedk> sharoonthomas: and again if you consider that password can be read and key can be stolen, there is still no security
2012-04-25 18:58 <sharoonthomas> cedk: the probability of pulling both of is much less than pulling any one of these ?? you got to agree to that
2012-04-25 18:58 <bechamel> cedk, sharoonthomas: what about something like ssh privates keys ?
2012-04-25 18:59 <cedk> sharoonthomas: no
2012-04-25 19:00 <bechamel> gmail token works by sending an sms, other solution works with decated harware, it's not easy to deploy
2012-04-25 19:00 <cedk> sharoonthomas: If I can stole you password, I probably can stole your key also
2012-04-25 19:01 <sharoonthomas> cedk: what if the key is your phone ? you may not realize that i stole your password but definitely your phone, or that hardware token with your car keys ?
2012-04-25 19:02 <cedk> sharoonthomas: I could just have copied you SIM card
2012-04-25 19:03 <cedk> as I already said, security is a matter of trust
2012-04-25 19:04 <sharoonthomas> cedk: yep i could have, but thats a lot more of complicated things than just stealing a password
2012-04-25 19:04 <cedk> sharoonthomas: I think it is more complicated to steal my password than my phone
2012-04-25 19:05 <cedk> sharoonthomas: my password is in my mind
2012-04-25 19:06 <sharoonthomas> cedk: ok i give up
2012-04-25 19:07 <bechamel> ACTION really thinks something like ssh privates keys would do the job ...
2012-04-25 19:07 <sharoonthomas> bechamel: sounds good, and is secure but the only problem is its not portable
2012-04-25 19:08 <bechamel> sharoonthomas: not portable with repect to ?
2012-04-25 19:09 <sharoonthomas> bechamel: AFAICS you will need your private key on whichever machine you try to access triton from ?
2012-04-25 19:10 <bechamel> sharoonthomas: yes this is the feature actualy :)
2012-04-25 19:10 <cedk> bechamel: for it doesn't change anything
2012-04-25 19:10 <bechamel> sharoonthomas: this defeats the "I was quick enough to read your keystrokes"
2012-04-25 19:11 <bechamel> cedk: ^^
2012-04-25 19:12 <cedk> more over, with a token/key you give the authentication to a third party that you don't control :-)
2012-04-25 19:13 <bechamel> cedk: who is the third party ??
2012-04-25 19:14 <cedk> bechamel: the token builder
2012-04-25 19:15 <cedk> sharoonthomas: any way, if you have a fixed lenght token generator, you can just append it to the password and make your validation
2012-04-25 19:15 <bechamel> cedk: isn't this discussion about implementing it in tryton ?! :)
2012-04-25 19:17 <cedk> bechamel: I don't know, 2FA is often about token
2012-04-25 19:18 <bechamel> by the way, my wife used to work for a company that was using peoplesoft, and they were using a vpn to access it. Crypot and security stuffs are difficult to implement correctly, maybe it's better to use existing solutions.
2012-04-25 19:18 <bechamel> cedk: a token is just a number
2012-04-25 19:20 <bechamel> cedk: the 2FA of gmail is just a number that google send by sms to your phone
2012-04-25 19:20 -!- Mayank1(~mayank@ has left #tryton
2012-04-25 19:24 <cedk> bechamel: I guess the question was about adding 2FA to Tryton
2012-04-25 19:24 <cedk> but as the login form is stored in the client, it can not be customizable
2012-04-25 19:25 <cedk> but the login form is displayed before connection to server
2012-04-25 19:25 <bechamel> cedk: if it's the only problem, it's not a big deal :)
2012-04-25 19:25 <cedk> we could imagine add a method on server that will describe the required fields for login and call it when the server is enter
2012-04-25 19:26 <bechamel> the main questions should be: 1) what are the main threats 2) what are good solutions against them ?
2012-04-25 19:28 <bechamel> for 1) i see: a)somebody reading over your shoulder, b) MIM, c) a bot that try to test all the passwords
2012-04-25 19:29 <bechamel> iirc c) is not a problem as the server add an exponential delay between attempts
2012-04-25 19:31 <cedk> bechamel: b neither as there is certificate validation
2012-04-25 19:32 <bechamel> cedk: yes
2012-04-25 19:33 <bechamel> as we already have ssl support the next logical step is IMO to support ssl client certificates
2012-04-25 19:34 <cedk> bechamel: I don't think so
2012-04-25 19:35 <pilou> Is server certificate checked by the client ?
2012-04-25 19:37 <bechamel> pilou: there is a fingerprint stored in .config/tryton/2.2/known_hosts for each server
2012-04-25 19:39 <bechamel> pilou: but it don't remember how it is used
2012-04-25 19:40 <cedk> bechamel: just check the fingerprint
2012-04-25 19:40 <bechamel> cedk: yes but how it is useful ? does it stop MIM ?
2012-04-25 19:41 <cedk> bechamel: if fingerprint is wrong, it stop
2012-04-25 19:41 <bechamel> cedk: so it does not stop mim
2012-04-25 19:42 <cedk> bechamel: don't understand
2012-04-25 19:44 <bechamel> cedk: lets say i manage to intercept traffic between the server and the client, I just need to forward networks packet from the client to the server and vice-versa to see everything
2012-04-25 19:44 <cedk> bechamel: just encrypted traffic
2012-04-25 19:46 <bechamel> cedk: is the fingerprint generated or it is a checksum of the ssl certificate ?
2012-04-25 19:47 <cedk> bechamel: don't know
2012-04-25 19:48 <bechamel> cedk: I just read the code: it's a checksum of "peercert" which is the result of sock.getpeercert()
2012-04-25 19:49 <bechamel> cedk: so it should prevent mim
2012-04-25 19:50 <bechamel> bbl
2012-04-25 19:54 <pilou> cedk: does the use of m2crypto instead of checking the fingerprint seem like a good idea to you ?
2012-04-25 19:58 <cedk> pilou: don't understand what you want to do

Generated by 2.17.3 by Marius Gedminas - find it at!