[ZODB-Dev] CHAP with ZEO

[Toby Dickenson]

On Mon, 21 May 2001 15:18:12 -0700 (PDT), Michel Pelletier
<michel@digicool.com> wrote:

>Based on a thread we had a couple weeks ago, I have been doing some
>experiementation with adding CHAP (Challenge Handshake Auth. Protocol) =
to
>the ZEO client/server.   CHAP is a simple, widely used authentication
>protocol best known for it's use in the PPP world:
>
>http://www.faqs.org/rfcs/rfc1994.html
>
>I have come up with a little prototype that implements CHAP between a
>client and a server.  I believe that this brings a medium-level of
>security to ZEO, alowing (reasonably cautious) people to open up access =
to
>their ZEO servers over unprotected networks with a little bit more peace
>of mind.

I think CHAP would be a good addition, but not for the reasons you
suggest. If you are using ZEO over an untrusted network then you need
to secure the content too and, as you mention, tools like stunnel
provide this already.

CHAP is useful if your ZEO network is trusted, but not entirely
private. For example, if your ZEO client and server are on the same
host.

It may also be useful even when using stunnel, as an alternative to
client certificates.

>Is this something we should think about rolling into ZEO?

We need to be careful to not oversell it, but I think yes.=20


Toby Dickenson
tdickenson@geminidataloggers.com