| chat.freenode.net #tryton log beginning Wed Apr 25 00:00:01 CEST 2012 | ||
| 2012-04-25 00:30 -!- smoldersan(~smoldersa@as77-13.tontut.fi) has left #tryton | ||
| 2012-04-25 10:19 <sisalp> hello, about proteus, I found http://pypi.python.org/pypi/proteus/1.8.0 | ||
| 2012-04-25 10:20 <sisalp> is it the only documentation about it ? | ||
| 2012-04-25 10:21 <yangoon> sisalp there is also the README inside the repos | ||
| 2012-04-25 10:24 <sisalp> yangoon: tahnk you | ||
| 2012-04-25 10:24 <sisalp> so to use proteus, one must understand tryton quite deeply | ||
| 2012-04-25 10:25 <sisalp> which doc should be the right starter ? | ||
| 2012-04-25 10:28 <sisalp> and would the log of client-server communication be a reference source ? | ||
| 2012-04-25 10:29 <yangoon> sisalp no, client<->server is jsonrpc | ||
| 2012-04-25 10:29 <sisalp> yangoon: and proteus is not ? | ||
| 2012-04-25 10:29 <yangoon> sisalp but you can take a look at module tryton-tools | ||
| 2012-04-25 10:30 <yangoon> there is a script inside using proteus: localize_modules.py | ||
| 2012-04-25 10:30 <yangoon> and you can take a look at the scenarios in the modules | ||
| 2012-04-25 10:31 <yangoon> they should be translatable quite easy | ||
| 2012-04-25 10:31 <yangoon> sisalpthere is also tryton_demo.py in module tryton-tools for example | ||
| 2012-04-25 10:32 <sisalp> yangoon: Thank you, I'll start there but will certainly come back ;-) | ||
| 2012-04-25 10:32 <yangoon> sisalp good luck | ||
| 2012-04-25 12:33 <sisalp> ce que je souhaite c'est que les tableau de la catégorie sur bdll.fr deviennent des élément dans la comparaison des produits sur o-o.fr | ||
| 2012-04-25 12:34 <sisalp> par exemple : nombre d'utilisateurs ou volume disque etc... | ||
| 2012-04-25 12:35 <sisalp> Sorry, mistyped in the wrong discussion, don't consider that ;-) | ||
| 2012-04-25 13:27 <sharoonthomas> cedk: I am looking at Issue 342002 and I was wondering why the format for date time is '%H:%M:%S' (i might be missing something) | ||
| 2012-04-25 13:27 <cedk> sharoonthomas: because it is the standard way | ||
| 2012-04-25 13:28 <sharoonthomas> cedk: so this is for date time to time conversion ? | ||
| 2012-04-25 13:29 <cedk> sharoonthomas: yes but I'm not sure to understand your question | ||
| 2012-04-25 13:30 <sharoonthomas> cedk: to be honest i don't :P i was wondering what this patch is doing | ||
| 2012-04-25 13:33 <cedk> sharoonthomas: allow to define the precision for time | ||
| 2012-04-25 13:33 <sharoonthomas> cedk: from what i understand the patch allows limiting the resolution of time part in a date time/time field on the client side | ||
| 2012-04-25 13:33 <cedk> sharoonthomas: yes | ||
| 2012-04-25 13:35 <sharoonthomas> cedk: the problem i see is with the default fields like create_date and write_date, their precision will be reduced to the default precision ? | ||
| 2012-04-25 13:35 <sharoonthomas> cedk: i see that the test case creates a record and if the resolution is lost, it should have blown up | ||
| 2012-04-25 13:38 <cedk> sharoonthomas: create_date and write_date are special fields | ||
| 2012-04-25 16:02 <rhubner> Hi nicoe! | ||
| 2012-04-25 16:04 <nicoe> rhubner: hello | ||
| 2012-04-25 16:06 <rhubner> nicoe: thanks by trust | ||
| 2012-04-25 16:07 <rhubner> nicoe: We need to talk somethings to start the project | ||
| 2012-04-25 16:10 <rhubner> nicoe: I'll build the stage for the development (blog, repository, correction bug) but I need to know somethings... | ||
| 2012-04-25 16:13 <nicoe> Yes | ||
| 2012-04-25 16:14 <rhubner> nicoe: I wonder what are the tables that store historical/logs and sample queries for these tables, this is possible? | ||
| 2012-04-25 16:23 <nicoe> take a look at the module account_invoice_history | ||
| 2012-04-25 16:24 <nicoe> or product_cost_history | ||
| 2012-04-25 16:27 <rhubner> nicoe: I'll see it... furthermore, do you have something to talk? | ||
| 2012-04-25 16:29 <nicoe> I think the first think that you should do is understand how the history work in tryton | ||
| 2012-04-25 16:30 <nicoe> Then find a way represent this in the tryton client | ||
| 2012-04-25 16:44 <rhubner> Ok nicoe, i'll have lunch.. thanks | ||
| 2012-04-25 18:05 <sharoonthomas> cedk: Do you have a few minutes to talk about 2 factor authentication ? | ||
| 2012-04-25 18:06 <cedk> sharoonthomas: ok | ||
| 2012-04-25 18:06 <sharoonthomas> cedk: We get a lot of request these days for 2 factor authentication in tryton | ||
| 2012-04-25 18:07 <cedk> sharoonthomas: what do yo mean? | ||
| 2012-04-25 18:07 <sharoonthomas> cedk: and it is easy to manage on the server side, thanks to user and authentication being a model | ||
| 2012-04-25 18:08 <sharoonthomas> cedk: but on the client side it is difficult to handle | ||
| 2012-04-25 18:08 <sharoonthomas> cedk: currently we have password based authentication. We want to make it 2 factors. A password + an OTP (or something else, like pass codes, phone call, sms etc) | ||
| 2012-04-25 18:12 <cedk> sharoonthomas: I don't see any advantages | ||
| 2012-04-25 18:13 <sharoonthomas> cedk: well, its easy to understand because many people use weak passwords, or they use the same password everywhere or they even write down their passwords and its easy to steal | ||
| 2012-04-25 18:13 <sharoonthomas> cedk: so having a second factor reduces the probability of compromising the system by half | ||
| 2012-04-25 18:14 <sharoonthomas> cedk: even gmail supports two factor authentication now | ||
| 2012-04-25 18:14 <cedk> sharoonthomas: so drop the first as it is insecure | ||
| 2012-04-25 18:14 <sharoonthomas> cedk: then if somebody steals your key they have access | ||
| 2012-04-25 18:15 <sharoonthomas> cedk: the probability of being compromised does not get reduced | ||
| 2012-04-25 18:15 <cedk> sharoonthomas: it is false about gmail | ||
| 2012-04-25 18:15 <nicoe> sharoonthomas: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html | ||
| 2012-04-25 18:15 <nicoe> Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won't work for remote authentication over the Internet. | ||
| 2012-04-25 18:16 <nicoe> quoting Bruce Schneier | ||
| 2012-04-25 18:16 <sharoonthomas> cedk: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html | ||
| 2012-04-25 18:17 <sharoonthomas> nicoe: it works for remote logins too, we have implementations using Duo Security and yubikeys and it works flawlessly | ||
| 2012-04-25 18:17 <sharoonthomas> nicoe: even our SSH logins have two factor authentication | ||
| 2012-04-25 18:20 <cedk> sharoonthomas: except that it store the session in the browser for months | ||
| 2012-04-25 18:20 <nicoe> of course it works, sending password out there in clear text works too. The question is : is it secure ? | ||
| 2012-04-25 18:21 <nicoe> And obviously it is not as secure as people think it is | ||
| 2012-04-25 18:22 <sharoonthomas> cedk: Well triton sessions are managed on server side and validity is configured by the user ? | ||
| 2012-04-25 18:23 <sharoonthomas> nicoe: i did not understand the question. is it if 2 factor authentication is safer than single factor authentication (what is already there ?) i think yes is an answer for tha | ||
| 2012-04-25 18:26 <cedk> sharoonthomas: for me, it is not | ||
| 2012-04-25 18:26 <cedk> sharoonthomas: the security level of a system = the weak point of it | ||
| 2012-04-25 18:26 <sharoonthomas> cedk: can you explain please ? | ||
| 2012-04-25 18:27 <cedk> sharoonthomas: I can not it is basic logical | ||
| 2012-04-25 18:28 <sharoonthomas> cedk: and the weakest point in the case of tryton is authentication | ||
| 2012-04-25 18:29 <sharoonthomas> cedk: does this not add an extra step to protect it ? | ||
| 2012-04-25 18:29 <cedk> smarro: don't understand | ||
| 2012-04-25 18:31 <smarro> cedk: hi... what? | ||
| 2012-04-25 18:31 <cedk> smarro: oups wrong completion | ||
| 2012-04-25 18:31 <cedk> sharoonthomas: don't understand | ||
| 2012-04-25 18:32 <sharoonthomas> cedk: from what i understand, you said that the highest security level of a system is the security of the weakest point of the system | ||
| 2012-04-25 18:33 <sharoonthomas> cedk: so the weakest point in the case of tryton, is the authentication part where someone stole or guessed a username and password ? | ||
| 2012-04-25 18:34 <cedk> sharoonthomas: no, the weak point is the user | ||
| 2012-04-25 18:34 <cedk> sharoonthomas: if you can not trust your users, you can not authenticate them | ||
| 2012-04-25 18:35 <sharoonthomas> cedk: its not a matter of trust, users of an ERP system can be anybody from the directors of the company to packers at the warehouse | ||
| 2012-04-25 18:35 <cedk> sharoonthomas: security is a matter of trust | ||
| 2012-04-25 18:36 <sharoonthomas> cedk: alright, so in your point of view there is no added value to a second factor of authentication ? | ||
| 2012-04-25 18:37 <cedk> sharoonthomas: not that much, depends of what you want to achieve | ||
| 2012-04-25 18:37 <sharoonthomas> cedk: well unlike the article nicoe sent, the goal of a second factor of authentication is to mitigate the risk of a weak password or a common password. | ||
| 2012-04-25 18:38 <cedk> sharoonthomas: don't understand | ||
| 2012-04-25 18:39 <nicoe> sharoonthomas: not unlike, just like the article I sent | ||
| 2012-04-25 18:39 <nicoe> But it does not work whe you use an untrusted network | ||
| 2012-04-25 18:39 <sharoonthomas> nicoe: cedk: why ? | ||
| 2012-04-25 18:41 <nicoe> sharoonthomas: because people can still use mim attacks | ||
| 2012-04-25 18:41 <nicoe> sharoonthomas: it's explained in the article | ||
| 2012-04-25 18:44 <sharoonthomas> nicoe: if you are talking about MIM in the sense of stealing a tryton session, it really doesn't matter if the user has a password, 2 factor, 3 factor or even more. | ||
| 2012-04-25 18:45 <sharoonthomas> nicoe: but if you are talking about MIM stealing passwords, then that problem is mitigated by 2 factor authentication | ||
| 2012-04-25 18:45 <sharoonthomas> nicoe: 1. because the second token if at all entered by the user is a one time password, not valid for second use | ||
| 2012-04-25 18:46 <sharoonthomas> nicoe: 2. in recent implementations, the second token is an activation from a mobile app (on smartphones), phone calls, sms etc | ||
| 2012-04-25 18:50 <nicoe> So you demonstrated that it is in fact useless | ||
| 2012-04-25 18:51 <cedk> sharoonthomas: what is the problem you try to solve? | ||
| 2012-04-25 18:51 <sharoonthomas> nicoe: it is intact useless in mitigating MIM attacks and thats not the purpose of the two factor authentication | ||
| 2012-04-25 18:52 <sharoonthomas> cedk: the problem i try to solve is: imagine that i was quick enough to read your key strokes sitting right next to you at TUL 2011 when you logged into your Tryton (username is already in cleartext), i have access to your triton db just with that | ||
| 2012-04-25 18:53 <cedk> sharoonthomas: so change password often | ||
| 2012-04-25 18:54 <cedk> sharoonthomas: analyse activies | ||
| 2012-04-25 18:54 <sharoonthomas> cedk: exactly the required solution, but automatic in 2 factor authentication where second factor is a new password every x seconds which you don't have to remember | ||
| 2012-04-25 18:54 <cedk> sharoonthomas: so just use the second password | ||
| 2012-04-25 18:54 <cedk> sharoonthomas: as the first one for you is not secure | ||
| 2012-04-25 18:55 <sharoonthomas> cedk: that alone doesn't solve the problem because stealing your key alone would be sufficient to gain access | ||
| 2012-04-25 18:57 <cedk> sharoonthomas: so secure your key | ||
| 2012-04-25 18:58 <cedk> sharoonthomas: and again if you consider that password can be read and key can be stolen, there is still no security | ||
| 2012-04-25 18:58 <sharoonthomas> cedk: the probability of pulling both of is much less than pulling any one of these ?? you got to agree to that | ||
| 2012-04-25 18:58 <bechamel> cedk, sharoonthomas: what about something like ssh privates keys ? | ||
| 2012-04-25 18:59 <cedk> sharoonthomas: no | ||
| 2012-04-25 19:00 <bechamel> gmail token works by sending an sms, other solution works with decated harware, it's not easy to deploy | ||
| 2012-04-25 19:00 <cedk> sharoonthomas: If I can stole you password, I probably can stole your key also | ||
| 2012-04-25 19:01 <sharoonthomas> cedk: what if the key is your phone ? you may not realize that i stole your password but definitely your phone, or that hardware token with your car keys ? | ||
| 2012-04-25 19:02 <cedk> sharoonthomas: I could just have copied you SIM card | ||
| 2012-04-25 19:03 <cedk> as I already said, security is a matter of trust | ||
| 2012-04-25 19:04 <sharoonthomas> cedk: yep i could have, but thats a lot more of complicated things than just stealing a password | ||
| 2012-04-25 19:04 <cedk> sharoonthomas: I think it is more complicated to steal my password than my phone | ||
| 2012-04-25 19:05 <cedk> sharoonthomas: my password is in my mind | ||
| 2012-04-25 19:06 <sharoonthomas> cedk: ok i give up | ||
| 2012-04-25 19:07 <bechamel> ACTION really thinks something like ssh privates keys would do the job ... | ||
| 2012-04-25 19:07 <sharoonthomas> bechamel: sounds good, and is secure but the only problem is its not portable | ||
| 2012-04-25 19:08 <bechamel> sharoonthomas: not portable with repect to ? | ||
| 2012-04-25 19:09 <sharoonthomas> bechamel: AFAICS you will need your private key on whichever machine you try to access triton from ? | ||
| 2012-04-25 19:10 <bechamel> sharoonthomas: yes this is the feature actualy :) | ||
| 2012-04-25 19:10 <cedk> bechamel: for it doesn't change anything | ||
| 2012-04-25 19:10 <bechamel> sharoonthomas: this defeats the "I was quick enough to read your keystrokes" | ||
| 2012-04-25 19:11 <bechamel> cedk: ^^ | ||
| 2012-04-25 19:12 <cedk> more over, with a token/key you give the authentication to a third party that you don't control :-) | ||
| 2012-04-25 19:13 <bechamel> cedk: who is the third party ?? | ||
| 2012-04-25 19:14 <cedk> bechamel: the token builder | ||
| 2012-04-25 19:15 <cedk> sharoonthomas: any way, if you have a fixed lenght token generator, you can just append it to the password and make your validation | ||
| 2012-04-25 19:15 <bechamel> cedk: isn't this discussion about implementing it in tryton ?! :) | ||
| 2012-04-25 19:17 <cedk> bechamel: I don't know, 2FA is often about token | ||
| 2012-04-25 19:18 <bechamel> by the way, my wife used to work for a company that was using peoplesoft, and they were using a vpn to access it. Crypot and security stuffs are difficult to implement correctly, maybe it's better to use existing solutions. | ||
| 2012-04-25 19:18 <bechamel> cedk: a token is just a number | ||
| 2012-04-25 19:20 <bechamel> cedk: the 2FA of gmail is just a number that google send by sms to your phone | ||
| 2012-04-25 19:20 -!- Mayank1(~mayank@122.162.53.20) has left #tryton | ||
| 2012-04-25 19:24 <cedk> bechamel: I guess the question was about adding 2FA to Tryton | ||
| 2012-04-25 19:24 <cedk> but as the login form is stored in the client, it can not be customizable | ||
| 2012-04-25 19:25 <cedk> but the login form is displayed before connection to server | ||
| 2012-04-25 19:25 <bechamel> cedk: if it's the only problem, it's not a big deal :) | ||
| 2012-04-25 19:25 <cedk> we could imagine add a method on server that will describe the required fields for login and call it when the server is enter | ||
| 2012-04-25 19:26 <bechamel> the main questions should be: 1) what are the main threats 2) what are good solutions against them ? | ||
| 2012-04-25 19:28 <bechamel> for 1) i see: a)somebody reading over your shoulder, b) MIM, c) a bot that try to test all the passwords | ||
| 2012-04-25 19:29 <bechamel> iirc c) is not a problem as the server add an exponential delay between attempts | ||
| 2012-04-25 19:31 <cedk> bechamel: b neither as there is certificate validation | ||
| 2012-04-25 19:32 <bechamel> cedk: yes | ||
| 2012-04-25 19:33 <bechamel> as we already have ssl support the next logical step is IMO to support ssl client certificates | ||
| 2012-04-25 19:34 <cedk> bechamel: I don't think so | ||
| 2012-04-25 19:35 <pilou> Is server certificate checked by the client ? | ||
| 2012-04-25 19:37 <bechamel> pilou: there is a fingerprint stored in .config/tryton/2.2/known_hosts for each server | ||
| 2012-04-25 19:39 <bechamel> pilou: but it don't remember how it is used | ||
| 2012-04-25 19:40 <cedk> bechamel: just check the fingerprint | ||
| 2012-04-25 19:40 <bechamel> cedk: yes but how it is useful ? does it stop MIM ? | ||
| 2012-04-25 19:41 <cedk> bechamel: if fingerprint is wrong, it stop | ||
| 2012-04-25 19:41 <bechamel> cedk: so it does not stop mim | ||
| 2012-04-25 19:42 <cedk> bechamel: don't understand | ||
| 2012-04-25 19:44 <bechamel> cedk: lets say i manage to intercept traffic between the server and the client, I just need to forward networks packet from the client to the server and vice-versa to see everything | ||
| 2012-04-25 19:44 <cedk> bechamel: just encrypted traffic | ||
| 2012-04-25 19:46 <bechamel> cedk: is the fingerprint generated or it is a checksum of the ssl certificate ? | ||
| 2012-04-25 19:47 <cedk> bechamel: don't know | ||
| 2012-04-25 19:48 <bechamel> cedk: I just read the code: it's a checksum of "peercert" which is the result of sock.getpeercert() | ||
| 2012-04-25 19:49 <bechamel> cedk: so it should prevent mim | ||
| 2012-04-25 19:50 <bechamel> bbl | ||
| 2012-04-25 19:54 <pilou> cedk: does the use of m2crypto instead of checking the fingerprint seem like a good idea to you ? | ||
| 2012-04-25 19:58 <cedk> pilou: don't understand what you want to do |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!