[ZODB-Dev] RFC: Proposal for AuthZEO (was SecureZEO one day)

Christian Reis kiko@async.com.br
Fri, 17 Jan 2003 20:33:16 -0200 

On Fri, Jan 17, 2003 at 04:28:05PM -0500, Jeremy Hylton wrote:
> We have a new configuration mechanism for ZODB and ZEO that is checked
> into CVS.  The authentication mechanism should be integrated with it.

I'll have a look at it.

> In particular, that means its options should be added to the ZEO
> schema.  The easiest way to integrate is to add extra options to the
> StorageServer constructor.  No one really calls that from Python code
> anyway, so it doesn't matter how many arguments it takes.

Okay.

> The addition of authentication probably affects the protocol
> negotiation, although I'm not sure how.

I'm not sure myself, but originally, I was planning on using different
classes in part to simplify this. Now I see that the fact that we need
some measure of interoperability, since Auth* when connecting to
non-Auth variants should get a nice exception back and not a hang or
whatever. This means the protocol should provide some detection of
authentication. Apart from that it seems a simple extension to add in an
authentication step based on a simple message exchange. Am I on the
right track?

> I think the authentication belongs in testConnection(), because it has
> to happen before register().

Great, that corroborates our opinion.

> I wonder if the basic protocol should be extended with something like
> HMAC to add some prevent the connection hijacking that you mention.
> I'd have to think about this more to know.

Since you had suggested SRP, I am still considering it.. should I not?

Well, we can use the same mechanism that SRP implements but with
simplified mathematics (from memory, client issues challenge, server
encodes a second-level challenge, client verifies challenge, uses server
challenge to encode password, sends to server, server does the same and
compares). I *think* this is safe from MITM attacks but I'm not sure. 

> I think the new authentication code should go in a separate module
> (use a lowercase name like in zodb4).  We should design it to be
> pluggable via configuration.

Okay, I'll need to understand the configuration bits. Let's see if I can
get Johan to do this on the weekend :-)

Take care,
--
Christian Reis, Senior Engineer, Async Open Source, Brazil.
http://async.com.br/~kiko/ | [+55 16] 261 2331 | NMFL