Re: s/key authentication for Apache on FreeBSD?
From: Brett Glass (brett_at_lariat.org)
Date: Wed, 10 Dec 2003 17:47:00 -0700 To: James Welcher <firstname.lastname@example.org>
At 01:29 PM 12/10/2003, James Welcher wrote:
>Maybe not the solution you are looking for, but I wouldn't write a
>one-time password solution as an apache module. It seems to me like it
>would be rather complex to implement and you would still have to have
>manage users keys and generate the "little slips of paper" or educate
>the users to employ some kind of s/key or opie algorithm on their PDA
>or via some other host.
The people in question have Palm Pilots. And, yes, in a pinch
slips of paper could be generated. The key thing is to be able
to get in from a public kiosk without the risk of compromised
Bruce Nikkel writes:
>The problem with using s/key (or opie) together with http basic auth is
>the repetive nature of http requests. The webserver would expect see
>the basic authentication string with every single request. You would be
>promtped for your next onetime password for every single gif or link on
>the page requested. I don't know how practical that would be.
If this is true, then I'd have to write a Perl authentication module
that called s/key once and authorized an IP until the user clicked
a "logout" button or a certain amount of time elapsed. So, I'd be
using mod_perl *and* PAM. A bit more complex, but I can do it if I must.
Are you sure that Apache will try to authorize again on every hit?
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"