Re: s/key authentication for Apache on FreeBSD?

From: James Welcher (james_at_buszard-welcher.com)
Date: 12/10/03

  • Next message: Jason Stone: "Re: s/key authentication for Apache on FreeBSD?"
    Date: Wed, 10 Dec 2003 15:29:29 -0500
    To: Brett Glass <brett@lariat.org>
    
    

    >>>>> "Brett" == Brett Glass <brett@lariat.org> writes:

        Brett> You must have misunderstood my message: This is EXACTLY
        Brett> what the owner is concerned about. Encrypting the content
        Brett> is not as important as preventing unfettered future access
        Brett> via a password stolen by sniffing either the network or the
        Brett> keyboard. Thus, SSL -- while it might be nice -- is
        Brett> optional. What's needed is one-time passwords for "basic"
        Brett> authentication in Apache.

    Maybe not the solution you are looking for, but I wouldn't write a
    one-time password solution as an apache module. It seems to me like it
    would be rather complex to implement and you would still have to have
    manage users keys and generate the "little slips of paper" or educate
    the users to employ some kind of s/key or opie algorithm on their PDA
    or via some other host.

    I have seen some websites employ (don't shudder) a JavaScript
    "mini-keyboard" where you can click on letters to "type in" a
    passphrase. This avoids local keyboard sniffers users and admins don't
    have to mess with one time passwords. It should also work with any
    browser, assuming you do the JavaScript right.

    Far be it from me to recommend JavaScript for anything but
    then again, I think you would have a more portable solution
    with less headaches (barring the initial JavaScript development)
    and if a user is on a "trusted" machine, they can just type
    in the passphrase without using the JavaScript widget.

    Of course, SSL is no longer optional in this case.

    James
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Jason Stone: "Re: s/key authentication for Apache on FreeBSD?"

    Relevant Pages

    • Re: How to insert tracking code?
      ... "Brett" wrote in message ... their desired link (my client site). ... > I'm thinking this can be done by setting a cookie through Javascript. ...
      (microsoft.public.dotnet.framework.aspnet)