parsav  Diff

Differences From Artifact [d83ecc5b3e]:

• File parsav.md — part of check-in [03ea3dffe7] at 2021-01-14 01:11:51 on branch trunk — more work on UI and circles (user: lexi, size: 19042) [annotate] [blame] [check-ins using]

To Artifact [a0226b9daa]:

• File parsav.md — part of check-in [2fef9385da] at 2022-11-04 02:44:52 on branch trunk — updates (user: lexi, size: 19580) [annotate] [blame] [check-ins using]

    90     90   ## invoking
    91     91   the build process generates two binaries, `parsav` and `parsavd`. `parsav` is a driver tool that can be used to set up and start a `parsav` instance, as well as administer it from the command line. it accesses databases directly and uses the same backend configuration file as parsav, but can also send IPC messages directly to running `parsavd` instances.
    92     92   
    93     93   as a convenience, the `parsav start` command can be used to start and daemonize a `parsav` instance. additionally, the `-l` option to `parsav start` can be used to redirect `parsavd`'s logging output to a file; without `-l`, logging output will be discarded and can be viewed only by connecting to the running instance with `parsav attach`. `parsav start` passes its arguments on to `parsavd`; you can use this to pass options by separating `parsav`'s arguments from `parsavd`'s with `--`. if you launch an instance with `parsav start -- -i chungus`, you can then stop that instance with `parsav -i chungus stop`. `parsav stop` can be used on its own if only one `parsavd` instance is running; otherwise, `parsav -a stop` will cleanly terminate all running instances.
    94     94   
    95     95   you generally should not invoke `parsavd` directly except for debugging purposes, or in the context of an init daemon (particularly systemd). if you launch `parsavd` directly it will not fork to the background. 
    96     96   
           97  +## [TODO] server friending
           98  +parsav servers can "friend" other parsav servers. friendly servers cache at least some of each others' content. in contrast to the promiscuous caching of activitypub servers, parsav only caches content from servers that administrators explicitly mark for caching. friendly servers share each others' list of friends so that they can rely on each others' caches if the
           99  +
    97    100   ## authentication 
    98    101   below is a full list of authentication types we intend/hope to one day support. contributors should consider this a to-do list. a checked box indicates the scheme has been implemented.
    99    102   
   100    103   * ☑ pw-sha{512,384,256,224}: an ordinary password, hashed with the appropriate algorithm
          104  +* ☐ pw-sha3: hashed using the configurable keccak sponge function
   101    105   * ☐ pw-{sha1,md5,clear} (insecure, must be manually enabled at compile time with the config variable `parsav_let_me_be_a_dumbass="i know what i'm doing"`)
   102    106   * ☐ pw-pbkdf2-hmac-sha{…}: a password hashed with the Password-Based Key Derivation Function 2 instead of plain SHA2
   103    107   * ☐ pw-extern-ldap: try to authenticate by binding against an LDAP server
   104    108   * ☐ pw-extern-cyrus: try to authenticate against saslauthd
   105    109   * ☐ pw-extern-dovecot: try to authenticate against a dovecot SASL socket
   106         -* ☐ pw-extern-krb5: abuse MIT kerberos as a password verifier
          110  +* ☐ pw-extern-krb5: abuse MIT kerberos as a password verifier (very useful for SSO/single password store regimes; LDAP can do this too)
   107    111   * ☐ pw-extern-imap: abuse an email server as a password verifier
   108    112   * (extra credit) ☐ pw-extern-radius: verify a user against a radius server
   109    113   * ☐ http-oauth: automatically created when a user grants access to an oauth application, consisting of a series of TLVs. these generally should not be created or fiddled with manually
   110    114   * ☐ http-gssapi: log in with a kerberos principle through the http-authenticate "negotiate" mechanism. do any browsers actually support this??
   111    115   * ☐ http-extern-header: a value of `H=V` where `H` is a header passed by an app server such as nginx, and `V` is the required value. could be used to e.g. tie parsav into an existing client certificate verification infrastructure with minimal effort.
   112    116   * ☐ http-extern-header: a value of `H=V` where `H` is a header passed by an app server such as nginx, and `V` is the required value. could be used to tie parsav into an existing client certificate verification infrastructure with minimal effort.
   113    117   * ☐ api-digest-sha{…}: a value that can be hashed with the current epoch to derive a temporary access key without logging in. these are used for API calls, sent in the header `X-API-Key`.