[Freedombox-discuss] Drop exmachina, use sudo instead - at least short term (Was: Kerberos and remctl instead of exmachina?)

Sat Sep 7 16:40:01 UTC 2013

I'm a huge fan of the concept of a secure, universally accessible
domain-as-an-appliance built from FOSS, but I've encountered the following
challenges that I believe we'd need to solve to make such a thing dead
user-friendly:

-We'd need a bullet-proof method of determining the IP address of
Freedombox when attempting remote access. I gather that's the basic purpose
of the Santiago port, but it's not clear to me this is a solved problem.
Third-party services like DynDNS seem contrary to the spirit of the
Freedombox. IPv6-in-IPv4 services like Hurricane Electric usually offer
fixed address blocks, but requiring a user to sign up for such a service
seems to be diverging from the goal of user-friendliness.
-Kerberos relies on fully qualified domain names to canonicalize service
principals (see
http://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html#service-principal-canonicalization)
and it's better if reverse name resolution works as well. So remote access
requires domain name resolution of some kind. Solving the previous
challenge would help here: if we can find the Freedombox, we could query it
for a source of domain names without requiring a publicly resolvable
fully-qualified domain name.
-The user experience for joining a host to a Kerberos realm is not clean.
At minimum, one most add a host principal to the Kerberos database,
securely transport the host principal keytab to the host, then enable
access for that host in name services (e.g. LDAP). Adding the principal and
enabling access isn't too difficult, but securely transferring the keytab
probably means some sort of sneakernet technique (e.g. a USB flashdrive).
-Remote access must handle connectivity outages (e.g. your cellular network
connection drops or you leave WiFi coverage) gracefully. This means lots of
name caching, and file synchronization if you want remote file access ala
Dropbox. This is probably the stickiest problem because it involves careful
client-side service management. Also, name caching is brittle if not done
correctly.
-Support for Kerberos on mobile OSes is spotty at best. I'm trying to
improve that (see https://github.com/cqcallaw/kerberos-app)

Also of interest is a guide I wrote on the Ubuntu wiki about this concept:
https://help.ubuntu.com/community/SingleSignOn I'm using the concepts
articulated in that guide for local and remote access, and I can report it
is definitely _not_ dead user-friendly, particularly for remote access.

Yet. :)

On Fri, Sep 6, 2013 at 11:53 PM, Petter Reinholdtsen <pere at hungry.com>wrote:

> [Jonas Smedegaard]
> > Let me try rephrase: Why use a mechanism more complex than e.g. sudo to
> > govern crossing boundaries of access rights?
>
> Because I believe it is a good idea to be able to authenticate into
> ones own freedombox without having to send the password over the net
> (even encrypted).  The scenario I have in mind is a linux, windows or
> mac box hooked up to ones own Kerberos/AD domain, which can log into
> freedombox using Kerberos, and which can get a Kerberos ticket also
> when away from home.
>
> > If Kerberos is used only to issue tickets automatically based on
> > user-id, then I see no benefit of that mechanism.
>
> I agree.
>
> > If Kerberos is used also for authenticating human users of
> > FreedomBox, how do you then imagine making that dead user-friendly?
>
> For this to work, I believe the Freedombox had to become a AD domain
> controller, thus allowing any windows machine to "join the domain" of
> the Freedombox and the browser to log into plinth using the Kerberos
> ticket.
>
> But after looking at plinth/exmachina a bit more, I believe the best
> way forward right now is to drop exmachina completely and rewrite
> plinth to use sudo.  Instead of talking to exmachina, it should call
> 'sudo /some/privileged/helper/script' we write to handle the
> operations plinth need, and ask it to do the privileged operations.
> This would allow us to get something working very quickly.  For
> package installation, I suspect aptdaemon is a good way to get
> everything we need (including debconf interactions), using the dbus.
>
> Any objections to dropping exmachina?  I suspect 200 lines of python
> and 3-4 hours should be enough to do the rewrite.
>
> --
> Happy hacking
> Petter Reinholdtsen
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130907/d1b9c64e/attachment.html>