Opened 13 years ago

Closed 13 years ago

#1838 closed Enhancement (wontfix)

LDAP Authorization, KerberosV Authentication

Reported by: turbo Owned by: turbo
Priority: Low Milestone: None Set
Component: libtransmission Version: 1.50
Severity: Normal Keywords: authentication ldap kerberos
Cc: charles

Description

I was planning to write a LDAP/KerberosV authentication/autorization system for T.

The idea was two fold:

  1. Using LDAP as authorization I'm running T on my home server, and I'd like to have my family to be able to do some work - Adding torrents and view info, but not remove or move them. If I give away the current account information, they can do everything - remove, move etc. A resonable easy LDAP schema {c,sh}ould be constructed to add to each user object, indicating to T what/if the user have access (to).

From the top of my head (without putting to much energy in thinking about what would be needed), the different authorization levels would be:

     * add
     * view (i.e. torrent info)
     * list
     * suspend (i.e. pause torrent)
     * move
     * remove
     * remove+data
     * (setting) limits
     * manipulate (torrent)
     * system (session setup)
  1. Using Kerberos V as authentication This is of course the most interesting part - Kerberos V is designed to work in insecure networks (IMO _ALL_ networks are insecure :).

Authentication works in multiple steps, all being encrypted and as secure as possible - no clear text password on disk nor 'in transit'. Using Kerberos is also a way to making sure that whoever talks to T, really is who he/she is (again, multi-step verification).

Kombining point 1 and 2 would give the added benefit of no longer being a 'one man (woman) app'.

With a little thought in designing the schema, it might also be possible to limit access to certain torrents (say I download something I don't my kids/spouse to know about... :)

Change History (1)

comment:1 Changed 13 years ago by livings124

  • Resolution set to wontfix
  • Status changed from new to closed

This is way outside the scope of the project. I appreciate the effort, but it's not needed.

Note: See TracTickets for help on using tickets.