From owner-freebsd-questions@FreeBSD.ORG Sat Sep 25 03:13:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0DDC16A4CE for ; Sat, 25 Sep 2004 03:13:16 +0000 (GMT) Received: from lakermmtao02.cox.net (lakermmtao02.cox.net [68.230.240.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43DF643D4C for ; Sat, 25 Sep 2004 03:13:16 +0000 (GMT) (envelope-from jlh@cox.net) Received: from [192.168.2.103] (really [68.13.124.67]) by lakermmtao02.cox.net (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP id <20040925031314.ZZIF14545.lakermmtao02.cox.net@[192.168.2.103]>; Fri, 24 Sep 2004 23:13:14 -0400 Message-ID: <4154E4BB.5010001@cox.net> Date: Fri, 24 Sep 2004 22:23:39 -0500 From: Jeff Hinrichs User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Al Johnson References: <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk> <20040925012222.GB72298@bhunter.net> In-Reply-To: <20040925012222.GB72298@bhunter.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Advice: "The Right" authentication method X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 03:13:16 -0000 Al Johnson wrote: > On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: > >>On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: >> >>>I'm working on writing the "Control Panel" scripts which subscribers to >>>our ISP will use to set up their eMail accounts and web space. >>> >>>Here's the Server spec: >>> >>>FreeBSD-Current; >>>Perl 5.6.1, no problem installing any needed modules; >>>Apache 2; >>>I'm keeping ordinary customers off the machine, so I run Postfix and >>>Cyus and use sasl2 for customer passwords. I'd like to use these ID to >>>arrange access to the control panel system. >>> >>>I'm stuck at the very start of my design process. I have two tasks to >>>do: >>> >>>Verify that users have supplied the correct password; and let the perl >>>scripts know who that visitor is, so that we can select the correct >>>accounts to show. >>> >>>Do I use SASL directly? or LDAP? or do I implement an Apache module to >>>handle access and let Apache do the work? >>> >>>I want to do "The right thing" - that is, the most general and correct >>>thing possible, I've got years of experience in perl scripting, but at >>>the moment I wandering around in a twisty litte maze of standards, all >>>different. >>> >>>Clue, please? >> >>You're basically writing a web application. For which you need access >>control. You've got two choices: either use the HTTP basic or HTTP >>digest auth mechanisms built into HTTP, and supported by Apache, or >>(and this is by far the most popular choice) write your own >>authentication mechanism as part of your application[1]. >> >>The second choice gives you a lot more flexibility about how you >>customise things and how you make the login screen look, which is >>probably why it's more popular. You can also arrange things to avoid >>sending passwords across the net in cleartext if you're cunning >>enough. >> >>However you do it, the authentication process is essentially that the >>client sends you two pieces of information: their username (ie. who >>they claim to be) and some form of secret. The secret is usually a >>password, but it can be something more complicated like an Opie >>one-time password or whatever. Then in your application you compare >>the secret to your stored version of it, and if they match you believe >>that the client is who they say they are and that they should have >>access. Of course, you don't want to keep the secret values lying >>around in plain text: the standard Unix response to all that is to >>generate a password hash using DES or MD5 to store, and to try and >>recreate that hash using the password supplied by the user. >> >>That's where SASL comes in: instead of having to code up all that >>stuff your self, SASL is a library of authentication methods that you >>can just plug into your application. >> >>Yes, you will need some sort of user account database -- often >>implemented using a RDBMS, but could with little extra effort be made >>to operate against an LDAP or RADIUS server. Or whatever the database >>type you're already using for your Postfix+Cyrus setup. >> >>There are several examples of doing this sort of thing within the >>ports system -- most are written in PHP, but check out devel/bugzilla >>and www/rt3 for perl based examples. >> >> Cheers, >> >> Matthew > > > I'd be grateful if someone would point out some examples of SASL > authentication using PHP in the ports. > > I've searched through the ports, but had no luck finding any. > It looks like there is a SASL implementation in PEAR http://pear.php.net/package/Auth_SASL/docs/1.0.0/li_Auth_SASL.html You might try and start here: http://www.freshports.org/security/pear-Auth_SASL/ hth, Jeff