-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic double-puppeting for bridge users #298
Comments
I 'd like to help with this issue but I'm not sure how to make a PR.
What is the synapse python path? |
I would be uncomfortable enabling this by default, though, as everything that touches authentication is an extra security risk, and this is useless for people who don't use bridges. You can see the python path with Alternatively, and better yet, activate the virtual environment from the dedicated user's home directory: sudo -u matrix-synapse bash # be careful about multi-instance, also not completely sure it works when executing as that user
source ~/bin/activate
pip3 install git+https://github.com/devture/matrix-synapse-shared-secret-auth Installing the module is not an issue security-wise (unless someone takes over that repository), so it could be there by default; the more risky operation is enabling it in synapse's config. |
What if synapse package install the module and add strictly this to the synapse's config :
The synapse package don't Generate a secret value and don't enable the module. We let Yunohost bridge packages do the last part :
|
In that case, you may as well let synapse generate the shared secret. It might be valuable to provide the python SharedSecretAuthProvider separately in the synapse package, with a checksum, to avoid supply chain attacks, if the module gets loaded by default. Loaded but disabled by default sounds acceptable. I am not sure if bridges should change that from true to false themselves, or if that configuration should be done from the synapse package. |
You meant from false to true as false would be by default if no bridge is installed, right? How the synapse package could know it should change from false to true after an admin has installed a bridge package? |
Ideally it would be good if we add this also in the config pannel #356 So the user can enable if needed. |
J'espère juste que tu n'es pas sérieux à l'idée de générer un secret de cette manière? Il faut au minimum utiliser
L'helper qui génère les fichiers de configuration remplace ce type de variables tout seul depuis la configuration: https://yunohost.org/en/packaging_apps_helpers#ynh-add-config Pardonnez mes mots, mais en classique tradition yunohost, c'est fait de manière pas très propre via des variables globales, utilisées implicitement. Au moins il y a une erreur si les variables ne sont pas définies. |
What about enabling double-puppeting automatically for bridge users?
https://docs.mau.fi/bridges/general/double-puppeting.html#automatically
We would need to install this alongside synapse package https://github.com/devture/matrix-synapse-shared-secret-auth
And enable the module
The text was updated successfully, but these errors were encountered: