KanoPool since 2014 🐈 - PPLNS and Solo 0.5% fee - Worldwide - 2435 blocks

[kano]

was the pool restarted

... not yet ...

ckpool restart done now so miners should be unaffected by anything else I do (and shouldn't have failed over)

ckdb next as I work on it over the next hour.

Edit: oh well. Had to do a 2nd ckpool restart. OK this time should be all done there.
Only ckdb after this.

[1714771498]

1714771498

[1714771498]

1714771498

[Ecnad]

Good rhythm to the pool right now. Keep up the good work all

[kano]

All changes are live for ckdb now also.

Again as I mentioned above:
https://bitcointalk.org/index.php?topic=789369.msg12090186#msg12090186
If you want to try using the new 2FA, PM me your username and I'll allow it on your account.
The advantage of this is of course testing it for the pool but also if you have problems, I don't mind resetting your 2FA during the test phase - which, for security reasons, I wouldn't normally do once it's live for everyone.

[Jake36]

After trying the 2FA out and thought I had it messed up trying to change the payout address and getting invalid code message (was using the password and the 2FA code).

So disabled 2FA, then re-enabled it and tried again to change payout, but this time I just used the code without the password and got the payout address changed message and email about the change (but still showing the old address on the pool).

Set up on android tablet was just downloading FreeOTP Authenticator, then just hit the qrcode symbol on the top off the app and scanning the qrcode (it adds all the info, then just hit the kano icon and get the 6 digit code (as easy as can be).

BEFORE TESTING WRITE YOUR SECRET KEY DOWN FIRST, after you test the key is not displayed any-more (and haven't checked the app out enough to see if there is a way to get out of it or not).

Will check it out some more tomorrow, but so far it works, off to bed for now.

[kano]

I added a comment on the 2fa page also regarding one other thing:

Code:

IMPORTANT: the TOTP algorithm uses the time on your device,
so it is important that your device's clock is accurate within a few seconds.

How it works is it uses the integer value of (current time / 30)
So a number is valid for 30 seconds (but I've only allowed single use per value as the RFC suggests)

However the 30 second time is from HH:MM:00 to HH:MM:30 or HH:MM:30 to HH:MM+1:00
- not 30 seconds from when you click on the App
Of course it depends on the clock on the pool server, but that is accurate within 1 second thanks to ntpd.

In both the Android app and the Apple app it has a 'dial' that shows the 30 second range running out.
If you are close to the end of the range, the time you have to type it in and click on the submit button is of course less.
You can wait for the 30 seconds to time out and type the new code it will come up with.
CKDB checks your answer against the pool time (when you submit the information), not the time the web page was generated.

And anyone wondering about it - there's an RFC describing TOTP:
 https://tools.ietf.org/html/rfc6238
which is based on the RFC for HOTP:
 https://tools.ietf.org/html/rfc4226

[kano]

CKDB restarted - bug in my new code - fixed now.
Of course ckdb restarting doesn't affect your active mining at all.
Web (and ckdb) is all back up and running again.

[innerchaos]

I use the google 2fa for lots of websites I am a big fan although maybe I should not be ?

I don't understand how compatibility with a sha256 algorithm is relevant to 2fa

[kano]

I use the google 2fa for lots of websites I am a big fan although maybe I should not be ?

I don't understand how compatibility with a sha256 algorithm is relevant to 2fa

OTP uses a hash function to generate the code.

"google 2fa" isn't "google", it's simply just the 2 IETF RFCs
 https://tools.ietf.org/html/rfc6238
 https://tools.ietf.org/html/rfc4226

I use sha2-256 since it's reasonably secure ... that's what we use in bitcoin mining

It would appear that the "Google Authenticator" app doesn't understand the code that says to use sha2-256 so it only uses sha1 - which of course wont give the correct 6 digit hash number.
The RFC specs say it should allow it but it doesn't work.

The 2 Apps I've listed work fine when told to use SHA2-256
You can run both apps on one phone/tablet if you need to.
However, you will find that the App I'm suggesting you use should work with gmail login also.

[kano]

Payout 368982 sent
9bd21cbb5770bc9bcb0e80a18512c83ce134716def64791496ddbbf3985bcc12
and confirmed

[os2sam]

Kano,
Have you looked into Steve Gibson's SQRL authentication?

https://www.grc.com/sqrl/sqrl.htm

[kano]

Kano,
Have you looked into Steve Gibson's SQRL authentication?

https://www.grc.com/sqrl/sqrl.htm

It's 1FA, not 2FA, so doesn't really fit in with the change I've added.

Sure it can replace normal 1FA login (user+password), but it still has the security risk of any other 1FA of having only one place that needs to be compromised.

Payout 369010 sent
3ea3989d34fea95ede3d6dfeba1912eff8639711a898b81b0c443d0efab01771
and confirmed

[kano]

Heh another bug to add to the list for the new code ...

We just got a block, but I'm working on ckdb to fix it so it shows up:
https://blockchain.info/block/00000000000000000eb1bbe04a9d8751989f18e22dba3a329dea40f112f7d145

Of course it's there and succeeded, just gotta fix it in ckdb now ...

[PPOC]

I use the google 2fa for lots of websites I am a big fan although maybe I should not be ?

I don't understand how compatibility with a sha256 algorithm is relevant to 2fa

OTP uses a hash function to generate the code.

"google 2fa" isn't "google", it's simply just the 2 IETF RFCs
 https://tools.ietf.org/html/rfc6238
 https://tools.ietf.org/html/rfc4226

I use sha2-256 since it's reasonably secure ... that's what we use in bitcoin mining

It would appear that the "Google Authenticator" app doesn't understand the code that says to use sha2-256 so it only uses sha1 - which of course wont give the correct 6 digit hash number.
The RFC specs say it should allow it but it doesn't work.

The 2 Apps I've listed work fine when told to use SHA2-256
You can run both apps on one phone/tablet if you need to.
However, you will find that the App I'm suggesting you use should work with gmail login also.

Kano, Since the update to the page with 2Fa, the login and register have been combined, but my browser will no longer profile the login user & pass. I now have to type in the credentials each time where before the update I was able to have browser profile the upper right green login box that existed. Also, not profiling on my mobile phone, both of these were very useful as I check on miner status many times a day. Anything that can be done about that? Maybe extend the mission cookie to 24 hrs? don't mind logging in once a day but the current timeout must be around 15 or 30 min.

Also, I am guessing that 2Fa will be optional and for things like changing payout address and not each time you login? again, just guessing.

[kano]

ckdb fixed - restarted and block now showing up properly.

Of course as per usual with a ckdb restart, no mining was affected at all.

As for the login page, can you clear all the remembered form data for the web site and see if that helps?
I do have it showing up on one of my browsers (I have 2fa on all the time now)

As for 2fa itself, if you don't enable 2fa, login is still just username+password as before.
You don't have to enable 2fa if you don't want to.
If you enable 2fa (later when it's ready - or if you want to try it now) then the 2fa value will also be required everywhere you enter your password.

[PPOC]

ckdb fixed - restarted and block now showing up properly.

Of course as per usual with a ckdb restart, no mining was affected at all.

As for the login page, can you clear all the remembered form data for the web site and see if that helps?
I do have it showing up on one of my browsers (I have 2fa on all the time now)

As for 2fa itself, if you don't enable 2fa, login is still just username+password as before.
You don't have to enable 2fa if you don't want to.
If you enable 2fa (later when it's ready - or if you want to try it now) then the 2fa value will also be required everywhere you enter your password.

Looks like Chrome saved password works, but does not work in Safari. It did work prior to the 2Fa changes. Possible that the 3 entry box on the new page is messing it up. Would it be possible to have a register, login and login 2FA link? If the standard login is back on its own, that may work as it did before.

Another option is to put the login back where it was on the upper right of page, then just provide a 2FA login link that takes you to the new login page.

Thanks,

[kano]

...
Looks like Chrome saved password works, but does not work in Safari. It did work prior to the 2Fa changes. Possible that the 3 entry box on the new page is messing it up. Would it be possible to have a register, login and login 2FA link? If the standard login is back on its own, that may work as it did before.

Another option is to put the login back where it was on the upper right of page, then just provide a 2FA login link that takes you to the new login page.

Thanks,

Try again now - made a minor change of not having a blank the username/password fields
(... meh safari ... )

The problem with the old login was that people would use it even on http
The Login/Register link goes to https.
So yeah I don't want to put the login back on the main page.

[PPOC]

ckdb fixed - restarted and block now showing up properly.

Of course as per usual with a ckdb restart, no mining was affected at all.

As for the login page, can you clear all the remembered form data for the web site and see if that helps?
I do have it showing up on one of my browsers (I have 2fa on all the time now)

As for 2fa itself, if you don't enable 2fa, login is still just username+password as before.
You don't have to enable 2fa if you don't want to.
If you enable 2fa (later when it's ready - or if you want to try it now) then the 2fa value will also be required everywhere you enter your password.

Looks like Chrome saved password works, but does not work in Safari. It did work prior to the 2Fa changes. Possible that the 3 entry box on the new page is messing it up. Would it be possible to have a register, login and login 2FA link? If the standard login is back on its own, that may work as it did before.

Another option is to put the login back where it was on the upper right of page, then just provide a 2FA login link that takes you to the new login page.

Thanks,

So that did not work, I see the stored user/pass in my keychain but each time I land on the login page, safari suggests a password after I enter username. I think its not detecting the page as the one I have already stored a user/pass for. Although the keychain shows kano.is https and saved user/pass

PS. What about forwarding HTTP to HTTPS for the landing page? Then you could use the original login/pass that was at the top right, just a suggestion.

[VirosaGITS]

Right now its adding several clicks to the usual several click to login then check your worker status. Its a lot of clicks unless you have a dedicated page on at all time auto refreshing so your session doesn't time out. Why not let read-only data always on?

I don't see a reason for always having to relog.

[kano]

...
PS. What about forwarding HTTP to HTTPS for the landing page? Then you could use the original login/pass that was at the top right, just a suggestion.

I don't want to forward it, since without forwarding, it allows anyone to access the index page and blocks page and also without having to issue a redirect.
It also means API access is however you choose, i.e. any web accessible program can access the API http or https

The way it is now, it forces a switch to https before you can type your password, thus you stay at https after that, but otherwise leaves it alone.
The forced switch going to the login page solves the problem for people logging in accidentally on http, but only when you click on it, so that was also another reason why I've changed it to that way.

[kano]

Right now its adding several clicks to the usual several click to login then check your worker status. Its a lot of clicks unless you have a dedicated page on at all time auto refreshing so your session doesn't time out. Why not let read-only data always on?

I don't see a reason for always having to relog.

Same reason why a bank logs you out.