Re: s/key authentication for Apache on FreeBSD?
From: Brett Glass (brett_at_lariat.org)
Date: 12/11/03
- Previous message: Slawek: "Re: s/key authentication for Apache on FreeBSD?"
- In reply to: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
- Next in thread: Michael Sierchio: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Michael Sierchio: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: bruce_at_nikkel.com: "Re: s/key authentication for Apache on FreeBSD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Dec 2003 17:47:00 -0700 To: James Welcher <james@buszard-welcher.com>
At 01:29 PM 12/10/2003, James Welcher wrote:
>Maybe not the solution you are looking for, but I wouldn't write a
>one-time password solution as an apache module. It seems to me like it
>would be rather complex to implement and you would still have to have
>manage users keys and generate the "little slips of paper" or educate
>the users to employ some kind of s/key or opie algorithm on their PDA
>or via some other host.
The people in question have Palm Pilots. And, yes, in a pinch
slips of paper could be generated. The key thing is to be able
to get in from a public kiosk without the risk of compromised
passwords.
Bruce Nikkel writes:
>The problem with using s/key (or opie) together with http basic auth is
>the repetive nature of http requests. The webserver would expect see
>the basic authentication string with every single request. You would be
>promtped for your next onetime password for every single gif or link on
>the page requested. I don't know how practical that would be.
If this is true, then I'd have to write a Perl authentication module
that called s/key once and authorized an IP until the user clicked
a "logout" button or a certain amount of time elapsed. So, I'd be
using mod_perl *and* PAM. A bit more complex, but I can do it if I must.
Are you sure that Apache will try to authorize again on every hit?
--Brett
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Slawek: "Re: s/key authentication for Apache on FreeBSD?"
- In reply to: James Welcher: "Re: s/key authentication for Apache on FreeBSD?"
- Next in thread: Michael Sierchio: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: Michael Sierchio: "Re: s/key authentication for Apache on FreeBSD?"
- Reply: bruce_at_nikkel.com: "Re: s/key authentication for Apache on FreeBSD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
