[Server-devel] Password-less authentication with moodle

Andrés Ambrois andresambrois at gmail.com
Wed Oct 8 15:42:00 EDT 2008 

On Wednesday 08 October 2008 13:34:53 Greg Smith wrote:
> Hi Andres,
>
> Looks like I answered the wrong question, sorry :-(
>
> Can you tell us more about where the Moodle and EduBlog will be deployed?
>
> Will it go on the existing Debian based servers in Uruguay or will it go
> on a server which is in a data center and access from Uruguay schools
> via WAN (private or Internet)?
>
> In terms of authentication to Moodle, I think the best you can do with
> the XO is to have user name/password on the first try. Then Moodle
> cookies the browser so its recognized and you don't need to login again.
>
> That's my guess but I think Tarun knows more about the available options.
>
> Let me know if that is closer to what you are asking.
>
> Thanks,
>
> Greg S
>

  No worries, this is all good input for us! :)

  The solution should be independent of whether the system is installed in a 
school server or in a central one. This is because the first tests are likely 
to be conducted on a central server, and later deployed to the school servers 
(I understand these are Debian boxes, yes). 

  The authentication scheme we have more or less agreed on using goes like 
this: 

---> The system checks for a cookie that stores a username and a hash of its 
password. 

------> If a cookie is found and correct. The user is logged in and 
transported to the blogging system. Inside the system, the user can choose to 
view his/her password to be able to log in from another computer. 

------> If a cookie is not found or incorrect, the user is sent to a 
username/password login page. 

---------> If the user is on an XO [0], in addition to username/password 
fields, there is a link to the signup process, at the end of which a password 
is randomly generated, and a cookie stored on the XO for future passwordless 
logins. 

  With this scheme we contemplate passwordless logins from the XO (because the 
signup process is only available when accessing from an XO, and thus the 
cookie is only stored on XOs), and username/password logins from other 
devices. 

We have also decided there will be several EduBlog (Moodle) accounts 
associated with each XO (cookie), so other people (e.g. relatives) can use the 
system from the XO. There will be an interface to "invite" (actually add other 
accounts) people this way, and a drop-down menu to switch to these other 
accounts after automatic login. 

  Cheers!

> > ------------------------------
> >
> > Message: 2
> > Date: Mon, 6 Oct 2008 20:22:48 -0200
> > From: Andr?s Ambrois <andresambrois at gmail.com>
> > Subject: Re: [Server-devel] Password-less authentication with moodle
> > 	(Martin	Langhoff)
> > To: greg at laptop.org
> > Cc: server-devel at lists.laptop.org
> > Message-ID: <200810062022.48902.andresambrois at gmail.com>
> > Content-Type: text/plain;  charset="iso-8859-1"
> >
> > Hi Greg!
> >
> >   Thanks for your insight. Currently, the scope of our project is
> > restricted to the application (id est Moodle) layer, and my question was
> > directed towards authentication at that level.But your notes are very
> > relevant for installations in the future. Thank you!
> >
> >   In reply to your comments, school servers in Uruguay have no public
> > presence. I dont know the details but I would think this is done with a
> > firewall blocking everything but monitoring services used by LATU.
> >
> >   With some luck we will be able to work on these lower layer problems in
> > deployment at later stages.
> >
> >   Cheers!
> >
> > On Monday 06 October 2008 11:58:49 Greg Smith wrote:
> >> Hi Andres,
> >>
> >> I missed one key one.
> >>
> >> Have a known clean backup. Add user data to it if you can, but backup
> >> regularly. Be ready to restore to a clean backup on short notice if you
> >> are compromised and need to start from scratch.
> >>
> >> Thanks,
> >>
> >> Greg S
> >>
> >> Greg Smith wrote:
> >>> Hi Andres,
> >>>
> >>> A few comments to get you warmed up. I will ask the current EduBlog
> >>> team to give you more suggestions and details too.
> >>>
> >>> 1 - My understanding of the current XS design is that it has one
> >>> interface visible to the Internet and another visible to the school
> >>> only. It seems pretty secure that way but it can open up a bunch of
> >>> security issues if you expose the School side interface to the
> >>> Internet. You may need to do that in order to run EduBlog on the
> >>> Internet so let us know ASAP which services are available on public
> >>> routed interfaces.
> >>>
> >>> 2 - Use denyhosts (http://denyhosts.sourceforge.net/) or some other
> >>> protection against dictionary style attacks on any public facing
> >>> interfaces.
> >>>
> >>> 3 - Put an anti-virus tool on the box. e.g. clamAV. Especially if your
> >>> PHP, Apache, Moodle, SQL services are visible publicly its important to
> >>> have a second line of defense in case some virus SW gets on the box.
> >>>
> >>> 4 - Run a port scan yourself (e.g. Nessus). Also, watch and protect
> >>> yourself against being port scanned by an attacker.
> >>>
> >>> Those are some suggestion off the top of my head.  I'll try to collect
> >>> all suggestions from EduBlog round 1 and get those to you as well.
> >>>
> >>> HTHs.
> >>>
> >>> Thanks,
> >>>
> >>> Greg S
> >>>
> >>> ************
> >>>
> >>> Date: Sun, 5 Oct 2008 14:52:25 +1300 From: "Martin Langhoff"
> >>> <martin.langhoff at gmail.com> Subject: Re: [Server-devel] Password-less
> >>> authentication with moodle To: " Andr?s Ambrois "
> >>> <andresambrois at gmail.com> Cc: server-devel at lists.laptop.org Message-ID:
> >>> <46a038f90810041852y7ba08ddcv4d1f0595ca82926a at mail.gmail.com>
> >>> Content-Type: text/plain; charset=ISO-8859-1 On Sun, Oct 5, 2008 at
> >>> 5:29
> >>>
> >>> AM, Andr?s Ambrois <andresambrois at gmail.com> wrote:
> >>>  >> >> - What's your timeframe?
> >>>  > >
> >>>  > > The timeframe for our project is 5 weeks starting from last
> >>>
> >>> Wednesday, in
> >>>
> >>>  > > which I need to cover the interface (Moodle and Wordpress
> >>>  > > theming),
> >>>
> >>> course
> >>>
> >>>  > > configuration, authentication, modifying Write to enable blog
> >>>
> >>> posting, and
> >>>
> >>>  > > document all this for a manual.
> >>>
> >>> Ouch - that's very tight!
> >>>
> >>>  > > I'm glad I wasn't that far off  :) . Are these required
> >>>
> >>> modifications documented
> >>>
> >>>  > > somewhere?
> >>>
> >>> Not yet. We're finishing off 0.5 - will be looking into this for 0.6
> >>> or 0.7, not too far away, unlikely to be "done" in the next 5 weeks
> >>> either :-/
> >>>
> >>> cheers,
> >>>
> >>>
> >>>
> >>> m
> >>
> >> _______________________________________________
> >> Server-devel mailing list
> >> Server-devel at lists.laptop.org
> >> http://lists.laptop.org/listinfo/server-devel
>
> _______________________________________________
> Server-devel mailing list
> Server-devel at lists.laptop.org
> http://lists.laptop.org/listinfo/server-devel

More information about the Server-devel mailing list