Re: s/key authentication for Apache on FreeBSD?

From: Jason Stone (freebsd-security_at_dfmm.org)
Date: 12/10/03

Next message: Slawek: "Re: s/key authentication for Apache on FreeBSD?"

Previous message: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
In reply to: bruce_at_nikkel.com: "Re: s/key authentication for Apache on FreeBSD?"
Next in thread: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Dec 2003 13:30:02 -0800 (PST)
To: security@freebsd.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > What's needed is one-time passwords for "basic" authentication in
> > Apache.
>
> The problem with using s/key (or opie) together with http basic auth is
> the repetive nature of http requests. The webserver would expect see
> the basic authentication string with every single request. You would be
> promtped for your next onetime password for every single gif or link on
> the page requested. I don't know how practical that would be.

Good point. You'd have to implement your own sessioning and
authentication entirely within your app, which always sucks.

An additional issue with http basic auth and an opie calculator is that
opie is challenge based - you compute the response based on the iteration
count and a salt string. So the user's browser is going to have to be
convinced to show him the challenge so he can enter it into the
calculator, but most browsers won't show you the html returned by the
initial 401 request until _after_ the user has failed or bailed out of the
authentication process. You could possibly coerce apache into dynamically
inserting the challenge into the authentication "realm," but that probably
precludes using a standard mod_auth_pam type of thing.

-Jason

--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/15BaswXMWWtptckRAg/GAJ98SUI6OKPgzpkgPtprY1ZZcOQsHgCgnHTn
Ie+hQDmdVGC/6umkttdYMV4=
=3acd
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Slawek: "Re: s/key authentication for Apache on FreeBSD?"

Previous message: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
In reply to: bruce_at_nikkel.com: "Re: s/key authentication for Apache on FreeBSD?"
Next in thread: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]