Hi Dimitris, I'll have a mess around with that webpage and see if I can break anything ;) also you might want to run a nessus scan against it as that has a good chance of picking up mis-configurations. On 29/08/2007, Dimitris Glezos <dimitris@xxxxxxxxxx> wrote: > > Hi all. > > It's time to add some non-localhost repos to our transifex instance, so > some advices on the security front would be greatly appreciated. > > We're doing everything over SSH, with encrypted keys. Before starting > the TG app, tha admin needs to run ssh-agent and ssh-add. The goal would > be to have a different service actually handling the keys and the > commits, but that would have to wait for someone to submit the patchset. > > With each repository (host) having its own key pair, `~/.ssh/config` > right now looks like this: > > Host localhost > User transifex-testuser > IdentityFile ~/.ssh/id_dsa > > #Host cvs.fedoraproject.org > # User transifex > # IdentityFile ~/.ssh/id_dsa-cvsfpo > > Host repo.or.cz > User yumex-trans > IdentityFile ~/.ssh/id_dsa-yumex > > Host * > ForwardX11 no > ForwardAgent no > RhostsAuthentication no > RhostsRSAAuthentication no > PasswordAuthentication no > StrictHostKeyChecking yes > BatchMode yes > CheckHostIP yes > > On the web front, I tried my best to validate properly any input/output > from/to the user. Since transifex accepts user input, writes files on > our server, runs OS commands on the server, uses SSH keys to communicate > with other machines and writes to disks across the Internet, we better > make sure everything is OK before launching. > > It would be great if some of you python hackers take a look at the code, > or anyone with the hobby of defacing websites run any injection/XSS-foo > on our instance, in order to identify and any additional checks or > reveal any mistakes I made (which I'm sure I did since it's my first big > python and TG app). > > Our test instance dwells at > > http://publictest5.fedora.redhat.com/submit/ > > Short instructions to get the code and install a local instance to play > around freely and with less lag can be found at: > > https://hosted.fedoraproject.org/projects/transifex/browser/INSTALL > > Bugs, reports, suggestions: > > https://hosted.fedoraproject.org/projects/transifex/newticket > > > Thanks. > > -d > > > > -- > Dimitris Glezos > Jabber ID: glezos@xxxxxxxxxx, GPG: 0xA5A04C3B > http://dimitris.glezos.com/ > > > "He who gives up functionality for ease of use > loses both and deserves neither." (Anonymous) > -- > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Regards, Damian
