[Say 'hi' to the Zope newbie, everyone.] I'd like to put in my 2c worth regarding the security management discussion with particular reference to the encryption side of things, then I have a small question. Whilst it would be possible to do encrypted authentication with forms and Javascript that does a one-way hash (like MD5) using a challenge-response type of protocol, I agree with the previous poster who said that this would not be worth it when SSL is an option. SSL can be obtained (I believe) without the overhead of Apache by using an SSL wrapper. There is a program available (it's in Debian, for example) called "sslwrap" which negotiates SSL connections and then forwards the unencrypted content somewhere else. If you forward to the local host, then the unencrypted data does not travel over the network. The main disadvantage here is that Zope thinks all such connections originate at the local host, and your server logs become somewhat less interesting for that fact. What I prefer to do personally, when remotely managing my site, is to use SSH tunnels. I ssh to my Zope-box, then forward port 8080 to 127.0.0.1:zope-port at the other end. This also has the effect that all connections appear to come from the local host, but I use this fact to advantage. First, it allows me to filter out my own administrative accesses from the server log with ease, leaving actual "customer page views" behind. Second, as an added security measure I specify "localhost" as the domain for my administrative account. This prevents anyone from accessing the account without first gaining access via ssh. My question: am I right in believing that "localhost" in the /domains/ field of the user form has this effect? It seems to, but all the examples show right-hand-parts of domains rather than hostnames. Note that giving ignorant end-users ssh access does not mean you also have to give them shell access. It's possible to launch them into a menu-driven system, and the ssh tunnels will still work. Tera Term is a good free Win32 telnet client that has an ssh extension available for it. Regards, TFBW
Hi Zope newbie, I agree with the fact that why bother with MD5 when SSL is available, however not everyone using Zope has that capability available to them. For instance, I've recently seen a posting on slashdot.org where some people are questioning the pricing of SSL certificates, these people are living in Asia where the price of certificates equates to a few months salary. Others are using hosting services which do not offer SSL as an option. For these people MD5 is an obvious second choice, obviously not as strong, but still an alternative. As for myself, I use SSL. Phil phil.harris@zope.co.uk ----- Original Message ----- From: "The Famous Brett Watson" <famous@nutters.org> To: <zope@zope.org> Sent: Tuesday, March 20, 2001 2:04 PM Subject: Re: [Zope] Zope security management
[Say 'hi' to the Zope newbie, everyone.]
I'd like to put in my 2c worth regarding the security management discussion with particular reference to the encryption side of things, then I have a small question.
Whilst it would be possible to do encrypted authentication with forms and Javascript that does a one-way hash (like MD5) using a challenge-response type of protocol, I agree with the previous poster who said that this would not be worth it when SSL is an option.
SSL can be obtained (I believe) without the overhead of Apache by using an SSL wrapper. There is a program available (it's in Debian, for example) called "sslwrap" which negotiates SSL connections and then forwards the unencrypted content somewhere else. If you forward to the local host, then the unencrypted data does not travel over the network. The main disadvantage here is that Zope thinks all such connections originate at the local host, and your server logs become somewhat less interesting for that fact.
What I prefer to do personally, when remotely managing my site, is to use SSH tunnels. I ssh to my Zope-box, then forward port 8080 to 127.0.0.1:zope-port at the other end. This also has the effect that all connections appear to come from the local host, but I use this fact to advantage. First, it allows me to filter out my own administrative accesses from the server log with ease, leaving actual "customer page views" behind. Second, as an added security measure I specify "localhost" as the domain for my administrative account. This prevents anyone from accessing the account without first gaining access via ssh.
My question: am I right in believing that "localhost" in the /domains/ field of the user form has this effect? It seems to, but all the examples show right-hand-parts of domains rather than hostnames.
Note that giving ignorant end-users ssh access does not mean you also have to give them shell access. It's possible to launch them into a menu-driven system, and the ssh tunnels will still work. Tera Term is a good free Win32 telnet client that has an ssh extension available for it.
Regards, TFBW
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi, it's me again. :-( I have a great problem with manage_clone! If I use the following Syntax, with an explicit item to clone all works fine: <dtml-call "manage_clone(Folder.N_1, 'N_1', REQUEST)"> but, if I use a variable with the value 'N_1' like that: <dtml-call "manage_clone(Folder._['variable'], 'N_1', REQUEST)"> I don't have the permission to clone, and get a login window in order to authorize !!!! That's crazy, ... another great bug??? I am using Zope 2.2.4! What could I do ? Pleeease help if you can ! Thank you , ... Marc
Marc Fischer wrote:
Hi,
it's me again. :-( I have a great problem with manage_clone! If I use the following Syntax, with an explicit item to clone all works fine:
<dtml-call "manage_clone(Folder.N_1, 'N_1', REQUEST)">
but, if I use a variable with the value 'N_1' like that:
<dtml-call "manage_clone(Folder._['variable'], 'N_1', REQUEST)">
This expression syntax is incorrect I think you might mean: <dtml-call expr="manage_clone(Folder[variable], 'N_1', REQUEST)"> Note the lack of quotes arund variable. Folder[variable] means get me the object with the id equal to the value of variable in the folder Folder. Acquisition might get in your way here, so to make sure it doesn't you might want to use Folder.aq_explicit[variable] instead. -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
Casey Duncan wrote:
Acquisition might get in your way here, so to make sure it doesn't you might want to use Folder.aq_explicit[variable] instead.
Actually that's not necessary. The only reason you can use "Folder[itemname]" is because ObjectManager provides the __getitem__ interface. __getitem__ only retrieves from the folder itself. (Note that __getitem__ and __getattr__ are distinct.) Shane
Hey, thank you very much !!!! It works with: <dtml-call expr="manage_clone(Folder[variable], 'N_1', REQUEST)"> But I think I don't understand the syntax of Dtml/ Python! I never now what syntax to use like ... _.[xxx] or _['xxx'] or ... or what ever. Perhabs someone could tell me where to start learning. It's really difficult to understand !!!! Thanks again ... Marc
-----Ursprungliche Nachricht----- Von: zope-admin@zope.org [mailto:zope-admin@zope.org]Im Auftrag von Casey Duncan Gesendet: Dienstag, 20. Marz 2001 17:18 An: Marc Fischer Cc: zope@zope.org Betreff: Re: [Zope] manage_clone - Pleeeease help !!!
Marc Fischer wrote:
Hi,
it's me again. :-( I have a great problem with manage_clone! If I use the following Syntax, with an explicit item to clone all works fine:
<dtml-call "manage_clone(Folder.N_1, 'N_1', REQUEST)">
but, if I use a variable with the value 'N_1' like that:
<dtml-call "manage_clone(Folder._['variable'], 'N_1', REQUEST)">
This expression syntax is incorrect I think you might mean:
<dtml-call expr="manage_clone(Folder[variable], 'N_1', REQUEST)">
Note the lack of quotes arund variable. Folder[variable] means get me the object with the id equal to the value of variable in the folder Folder.
Acquisition might get in your way here, so to make sure it doesn't you might want to use Folder.aq_explicit[variable] instead.
-- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Marc Fischer wrote:
Hey, thank you very much !!!!
It works with: <dtml-call expr="manage_clone(Folder[variable], 'N_1', REQUEST)">
But I think I don't understand the syntax of Dtml/ Python! I never now what syntax to use like ... _.[xxx] or _['xxx'] or ... or what ever.
Perhabs someone could tell me where to start learning. It's really difficult to understand !!!!
Thanks again ... Marc
My suggestion is to learn some Python. It will make understanding Zope a lot easier. Python is an excellent language to learn whether you are a beginning or a seasoned programmer. There is a very good online tutorial available here: http://www.python.org/doc/current/tut/tut.html -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
Hi Marc, I just saw a message from Luciano Ramalho on this list that went into great detail on the "_" variable and how to use it. Check the mailing list archives for the "Re: [Zope] avoiding nested DTMLs" thread and read Luciano's message. Good Luck! Eric.
But I think I don't understand the syntax of Dtml/ Python! I never now what syntax to use like ... _.[xxx] or _['xxx'] or ... or what ever.
Perhabs someone could tell me where to start learning. It's really difficult to understand !!!!
Marc Fischer wrote:
Hi,
it's me again. :-( I have a great problem with manage_clone! If I use the following Syntax, with an explicit item to clone all works fine:
<dtml-call "manage_clone(Folder.N_1, 'N_1', REQUEST)">
but, if I use a variable with the value 'N_1' like that:
<dtml-call "manage_clone(Folder._['variable'], 'N_1', REQUEST)">
Mixing DTML and Python syntax is confusing, I know. Here's how you should write it: <dtml-call expr="manage_clone(Folder[variable], 'N_1')"> This might be simpler in a Python Script, FYI. This is the primary reason Python Scripts became a part of the Zope core in version 2.3. Shane
<dtml-call "manage_clone(Folder.N_1, 'N_1', REQUEST)">
...while we're on the topic, it would be so cool if this was exposed somehow in the ZMI. The Copy, Paste, Rename cycle gets really tiring really quickly :-( cheers, Chris PS: It'd also be nice if FTP created DTML methods rather than documents by default ;-) (Oh, and if it created Python Scripts when you upload python ;-)
participants (7)
-
Casey Duncan -
Chris Withers -
Eric Walstad -
Marc Fischer -
Phil Harris -
Shane Hathaway -
The Famous Brett Watson