SKF setup on debian

Solved!
Posted in General by Julien Sun Oct 11 2015 11:43:15 GMT+0000 (UTC)·7·Viewed 247 times

Hi. On debian, I faced multiple issue with the installation a) to installation the wsgi version, it is required to do the default installation then follow the guide. it seems not 100% clear to me on documentation b) then, I get now two issue password does not change and sticks to test-skf even if I specify one in PASSWORD='mypass' on skf.py sessions do not work but only for the wsgi as other pure php solutions works. any reason for that? I even added the following code at the end of skf.py but without success # session = web.session.Session(app, web.session.DiskStore(os.path.join(curdir,'sessions')),) sess = web.session.Session(app, web.session.DiskStore('sessions'), initializer=INIT) web.config.session_parameters['cookie_path'] = '/' I face the exact same issues (both cookies and password) while running directly with python, even if password is clearly different
Foobar
Oct 11, 2015

Hi Julien,

I think i now what went wrong here, we already implemented a part of the login functionality to support multiple users and make the project ready for running it as a service for enterprise companies. The problem is that the password is now located in the DB of SKF and needs to be changed there.

The session issue can be that the webserver is not configured using SSL/TLS? Because we do set the secureflag on the session cookie and if you are not using HTTPS then it will not work.

I would like to ask you if you can test it again and provide some feedback if it wont work so we can help out.

Btw i also thought it was a big juggle to install webserver + WSGI + TLS settings + SKF configuration so i am currently busy building a Chef cookbook that does the whole thing automatically. Maybe you can use this or as a guidance for setting up the server correctly.

https://github.com/blabla1337/owasp-skf-chef

Julien
Oct 11, 2015

Hi Foobar.

Okay, so for the login, how can I change the password: there is no user profile edit capability, is there any? we need to update skf.db with external tool?

For the session management, I just replaced the config by
SESSION_COOKIE_SECURE=False,

Still does not work. I could create a manual crt file but the project should be able to run without SLL to if used internally, IMHO

Julien
Oct 11, 2015

Ok, sorry for the session stuff.

By putting COOKIE_SECURE at false, iot works. I did not pay attention and relaoded page asked again for login as the url is /login ...

anyway, with custom cert file I just created, it works too.

So my remaining question is about the user management interface: adding, updating user. How do we do that?

Julien
Oct 11, 2015

Just as a note: I think that for documentation purpose, it should be stated that

a) to run the app with python, you need a crt file or set COOKIE_SECURE at false
b) to run the app with wsgi, you need a crt file and configure apache over ssl or set COOKIE_SECURE at false

Foobar
Oct 11, 2015

Hi Julien,

I think best is to use the dev branch for now when you want to use the WSGI implementation.
This dev branch you can find it here:
https://github.com/blabla1337/skf-flask/tree/dev-skf

Use this URL instead of the master one. This gives you more functionality and the ability to register new users and set passwords.

Well i have to disagree with the SSL/TLS not needed when running it internally ^^
But you are free to modify the code and adjust it how you want.

Will also have a look at the improvement of the documentation as you mentioned.

Thanks.

Greetz,
Glenn

Julien
Oct 11, 2015

I agree with your disagreement. but as documentation say that with WSGI then we either get over :8080 or we can setup SSL, I took the "OR" as a capability to do HTTP and not HTTPS.

But if you remove that or either say "you could do over 8080 if you review secure cookie but we advise not to do so", then that is fine by me.

I will check the dev branch as soon as I can but now I at least have SKF running over 8443- :)

Foobar
Nov 4, 2015

True we will update it asap. We have to update the documentation also soon because of the Major new release of the SKF project so thanks.


Foobar marked this as solved
Markdown is allowed