I'm not sure it is. If AS7 came with a script that could set up a username/password
with a key, and also record that key locally in the users home directory, which IDEs,
maven, forge etc. can pick up, that is a 3 step operation (1 step to run the script, 1 to
enter username, 1 to enter a password). We can improve on this by assuming the username is
the username of the logged in user, and the key to use is their .ssh key if it exists.
This then becomes a 1 step operation for Linux users, probably still 2 steps for windows
users.
Stuff then "just works" from then on, and we can take advantage of all the usual
goodies like Mac Keychain, or whatever the equivalent is on Linux / Windows for storing
passwords and unlocking keys.
To make a locked down AS as usable for newbies as without the lockdown is quite a lot of
extra work I guess for the security system, as I just don't think username/password
cuts it.
And David yes, we have EAP requirements for usability :-p
On 13 Nov 2011, at 22:15, Jason Greene wrote:
Sent from my iPhone
On Nov 13, 2011, at 1:09 PM, "David M. Lloyd" <david.lloyd(a)redhat.com>
wrote:
> On 11/13/2011 12:49 PM, Max Rydahl Andersen wrote:
>> Hi,
>>
>> Been thinking about the new username/password requirements.
>>
>> These will make all examples that uses maven deploy plugin, cli scripts,
arquillian, jboss tools etc. to somehow
>> either tell users to type in their username and full password in clear text in
pom.xml and other files.
>>
>> Which sounds worse to me than a default locked down to only localhost…but I'm
not a security expert :)
>>
>> I was wondering how hard it would be to make the authentication support key based
auth by default and we make
>> the tools use ${user.name} and ${user.home}/.jboss/default.pub and .priv (or some
other name) for the public/private keys ?
>
> You would need a key-based SASL authentication mechanism. There are no
> standard ones as of right now. If you know of a key-based SASL
> mechanism that you think we should support, let me know and we'll
> evaluate it.
We would have to do noauth + SSL + trust. I think it's an option worth considering.
The big problem though is that we have to have a setup process to generate the certs,
which is greater complexity than the user/pass option. We would have to generate a host
key pair and a client key pair.
_______________________________________________
jboss-as7-dev mailing list
jboss-as7-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev