<cybermoloch>
Hello. I am trying Sandstorm on Oasis. More specifically with rocket.chat now. Is it possible to use the mobile and/or desktop clients with rocket.chat in Oasis? If not with Oasis, with normal Sandstorm self-hosted?
<dwrensha>
cybermoloch: jparyani has made a lot of progress on getting the rocket.chat android app working
<dwrensha>
once it's done, it should work with both Oasis and self-hosted
<cybermoloch>
Ah, okay. So not ready yet?
<cybermoloch>
How much modification do you generally have to do to get apps working 100% in Sandstorm? Sounds like a lot.
<dwrensha>
depends on the app
<dwrensha>
ideally very little modification is required
<dwrensha>
e.g., for IPython, it turns out we basically just need to do a `pip install`
<cybermoloch>
Sorry for all the questions -- how different is Oasis over self-hosted in terms of app functionality and authentication? For example, the authentication with Oasis is a little odd to me. (Using an email address.)
<dwrensha>
Oasis also allows authentication through Google OAuth or Github Oauth
<dwrensha>
those three authentication methods are also available on Self-Hosted Sandstorm
<dwrensha>
in addition to LDAP and SAML, if you get Sandstorm For Work
<dwrensha>
zarvox would probably be curious to hear about what you find odd about the email authentication
<cybermoloch>
Well, it isn't clear how long the login token/session will last. If I request a new one, does it automatically expire the old one? Does it automatically expire the password once used? Since email isn't exactly secure, it seems odd to have the only valid password sent that way.
lukexj has joined #sandstorm
<cybermoloch>
It just seems very counter-intuitive to almost everything else. I like that OAuth is there and that works better for sure but I don't have a google account that I can use with Oasis.
<lukexj>
is there 2FA with sandstorm logins?
jacksingleton has quit [Ping timeout: 252 seconds]
<zarvox>
cybermoloch: Yeah, improving email login is one of my current interests. To answer your question: the token is valid until any of the following are true: 1) 15 minutes have passed 2) you use the token/link 3) you request a new token/link
<zarvox>
And sending a login token via email is equivalent in security properties to having a password-reset via email, which is basically a necessity for password accounts.
<cybermoloch>
That makes sense since it does expire once used. It is just odd to essentially have a 'password reset' every time I want to login though. Not a deal breaker, just giving my observations.
<zarvox>
I agree it's a little odd at first blush, but it's one less attack vector (leaked/stolen/cracked passwords) than email+password+password reset would be.
<zarvox>
We can do a better job explaining that the token is one-time use and expires after 15 minutes, though.
<cybermoloch>
Adding TOTP (RFC6238) as lukexj's question with a shorter session time would also alleviate some worries. (I am assuming sessions have a long expiry time.)
<lukexj>
the login email was still send from my sandcats
<asheesh>
Yeah; the email config area is separate; you can find it in your admin area.
<lukexj>
how do i use a lets encrypt SSL for sandstorm?
<asheesh>
You can't. They don't support wildcard certificates, and Sandstorm needs a wildcard.
<lukexj>
oh
<asheesh>
I wish I had a warmer-and-fuzzier answer for you, but that's what is true for now!
rustyrazorblade has quit [Quit: rustyrazorblade]
<lukexj>
ok
<lukexj>
i guess no SSL for now
<lukexj>
i love linux, i have like 30 tabs open in firefox and my system isnt locking up xD
<lukexj>
unlike windows would
<asheesh>
: D
<isd>
asheesh: are there any active proposals for other ways to improve the wildcard cert situation? I threw something up, but folks (rightly) pointed out some problems with it.
<isd>
It's a sticking point for a lot of folks though, and let's encrypt isn't going to start issuing wildcards anytime soon
<asheesh>
I know of no other active proposals, yeah. )-:
<isd>
:(
<lukexj>
i've been a linux *only* user for about a year
<isd>
I would also just like to state, looking at sandstorm's array of workarounds for web security issues has made me very sad about the web in general. Good job though?
<asheesh>
I could give them a call. I haven't be able to do that and there are some limits to what I can do while the GlobalSign deal for sandcats is still active.
<lukexj>
windows would take up most of my resources but after putting linux on my laptop its has never been faster then it is now
<asheesh>
isd: Thanks I guess? : P : D
<asheesh>
I should AFK a little bit!
<lukexj>
how does sandcats have the wildcard cert set-up?
<isd>
Is there a centralized list of all of these workarounds somewhere? Might help thinking about solutions if we had that.