From owner-freebsd-security@FreeBSD.ORG  Wed Dec 10 11:05:49 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 652D516A4CE
	for <security@freebsd.org>; Wed, 10 Dec 2003 11:05:49 -0800 (PST)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 123B043D21
	for <security@freebsd.org>; Wed, 10 Dec 2003 11:05:48 -0800 (PST)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18743
	for <security@freebsd.org>; Wed, 10 Dec 2003 12:05:44 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.0.0.22.2.20031210115335.04c2fc50@localhost>
X-Sender: brett@localhost (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Wed, 10 Dec 2003 12:05:39 -0700
To: security@freebsd.org
From: Brett Glass <brett@lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: s/key authentication for Apache on FreeBSD?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Dec 2003 19:05:49 -0000

I'm constructing a Web server which may require restricted areas
of the site to be used from public places where a password might
be sniffed. The damage that could be done by taking snapshots of 
the content from one session with a spy program is minimal. What
the owner of the server does NOT want, though, is to allow unauthorized
parties to gain unfettered access by stealing the password via
a key sniffer.

After considering the readily available alternatives, I'd like to
try using s/key one-time passwords with "basic" authentication (which 
works on most browsers). But how do I lash Apache and s/key together
under FreeBSD, and get Apache to require s/key passwords from all
IP addresses outside the owner's home network? (Apache doesn't have
a mod_auth_skey module, so I'd probably have to cobble this together
with mod_perl -- or via PAM, with which I have virtually no experience.)
All suggestions as to the most efficient way to construct a solution
will be most welcome.

--Brett Glass