Date: Fri, 24 Sep 2004 22:23:39 -0500 From: Jeff Hinrichs <jlh@cox.net> To: Al Johnson <ajhonson3391@tampabay.rr.com> Cc: freebsd-questions@freebsd.org Subject: Re: Advice: "The Right" authentication method Message-ID: <4154E4BB.5010001@cox.net> In-Reply-To: <20040925012222.GB72298@bhunter.net> References: <D46B23FA-0D4E-11D9-AE37-000D93511A6A@hhbb.co.uk> <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk> <20040925012222.GB72298@bhunter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Al Johnson wrote: > On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: > >>On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: >> >>>I'm working on writing the "Control Panel" scripts which subscribers to >>>our ISP will use to set up their eMail accounts and web space. >>> >>>Here's the Server spec: >>> >>>FreeBSD-Current; >>>Perl 5.6.1, no problem installing any needed modules; >>>Apache 2; >>>I'm keeping ordinary customers off the machine, so I run Postfix and >>>Cyus and use sasl2 for customer passwords. I'd like to use these ID to >>>arrange access to the control panel system. >>> >>>I'm stuck at the very start of my design process. I have two tasks to >>>do: >>> >>>Verify that users have supplied the correct password; and let the perl >>>scripts know who that visitor is, so that we can select the correct >>>accounts to show. >>> >>>Do I use SASL directly? or LDAP? or do I implement an Apache module to >>>handle access and let Apache do the work? >>> >>>I want to do "The right thing" - that is, the most general and correct >>>thing possible, I've got years of experience in perl scripting, but at >>>the moment I wandering around in a twisty litte maze of standards, all >>>different. >>> >>>Clue, please? >> >>You're basically writing a web application. For which you need access >>control. You've got two choices: either use the HTTP basic or HTTP >>digest auth mechanisms built into HTTP, and supported by Apache, or >>(and this is by far the most popular choice) write your own >>authentication mechanism as part of your application[1]. >> >>The second choice gives you a lot more flexibility about how you >>customise things and how you make the login screen look, which is >>probably why it's more popular. You can also arrange things to avoid >>sending passwords across the net in cleartext if you're cunning >>enough. >> >>However you do it, the authentication process is essentially that the >>client sends you two pieces of information: their username (ie. who >>they claim to be) and some form of secret. The secret is usually a >>password, but it can be something more complicated like an Opie >>one-time password or whatever. Then in your application you compare >>the secret to your stored version of it, and if they match you believe >>that the client is who they say they are and that they should have >>access. Of course, you don't want to keep the secret values lying >>around in plain text: the standard Unix response to all that is to >>generate a password hash using DES or MD5 to store, and to try and >>recreate that hash using the password supplied by the user. >> >>That's where SASL comes in: instead of having to code up all that >>stuff your self, SASL is a library of authentication methods that you >>can just plug into your application. >> >>Yes, you will need some sort of user account database -- often >>implemented using a RDBMS, but could with little extra effort be made >>to operate against an LDAP or RADIUS server. Or whatever the database >>type you're already using for your Postfix+Cyrus setup. >> >>There are several examples of doing this sort of thing within the >>ports system -- most are written in PHP, but check out devel/bugzilla >>and www/rt3 for perl based examples. >> >> Cheers, >> >> Matthew > > > I'd be grateful if someone would point out some examples of SASL > authentication using PHP in the ports. > > I've searched through the ports, but had no luck finding any. > It looks like there is a SASL implementation in PEAR http://pear.php.net/package/Auth_SASL/docs/1.0.0/li_Auth_SASL.html You might try and start here: http://www.freshports.org/security/pear-Auth_SASL/ hth, Jeff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4154E4BB.5010001>