Re: Linux/Windows Authentication?

• Previous message: Don Parker: "Re: Low Level Enumeration with ECE/CWR"
• In reply to: MARTIN M. Bénoni: "Linux/Windows Authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "MARTIN M. Bénoni" <benoni_martin@hotmail.com>, <pen-test@securityfocus.com>
Date: Fri, 27 Feb 2004 14:50:30 -0600

"MARTIN M. Bénoni" wrote on Thursday, February 26, 2004 9:40 AM:

> Hi list!
>
> I am looking forward to know if there is a way to meet this following
> requirement:
>
> We are setting up an Intranet. On it, each department will be allowed to =
> access a part of the server, for example HR Department will be allowed =
to
> access just http://intranet/HR, Financial Department will just be =
allowed
> to access to http://intranet/Finance, and so on. As they are = no-IT
people,
> we would be looking for a transparent way to authenticate = them and to
> block someone from one department to access a file from = another
> department. User/password may be tough to set up as they will = have to
> remember them and we will have to check if they are not using = weak
> passwords. A PKI/Kerberos/... -based solution would be long to set = up as
> well. I was thinking about some key-based authentication, as it = can
> usually be done with ssh. But looking around the Internet for some =
> information, no way to find out some clues... Moreover, all the clients =
> will be Windows 2000/XP, and our Intranet runs under Linux (Redhat 9.0). =
> Some ideas? :-)
>
> Authentication based on IP addressees would be the easiest solution I =
have
> been thinking about, but remains to know if I can tell my Linux box = to
> allow a given bunch of IP addresses to access just a given = directory...
>

You can do this using .htaccess
(http://httpd.apache.org/docs-2.1/howto/htaccess.html) files under apache.
Just place the file in each of the department directories and make sure the
file mentions subdirectories as well. That will do the authentication based
on IP Addresses. However, there is a major flaw in this type of restriction.
If someone from HR (for example) goes to the sales floor and tries to access
his/her documents in the HR directory, she/he will get the access denied
message and could lead to major frustrations. Of course this depends on the
political climate in the company.

Also, if .htaccess files are not chosen as the solution, you can always use
the following code in a php script to tell what ip address someone is coming
from and either kick them to an access denied message (send header with a
403 error - Your request was denied as you have no permission to access the
data.)

----------- PHP Code ----------
// Read the RC based on the IP Address of the machine accessing this
application
list ($IP_Octet1, $IP_Octet2, $IP_Octet3, $IP_Octet4) = explode (".",
$REMOTE_ADDR);

$IP_Octet1, $IP_Octet2, $IP_Octet3, and $IP_Octet4 will contain the 4 octets
of the address and you can use

if ($IP_Octet1 != "xxx") {
// Octet didn't match - deny access

}

----------- End Code fragment --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Don Parker: "Re: Low Level Enumeration with ECE/CWR"
• In reply to: MARTIN M. Bénoni: "Linux/Windows Authentication?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]