From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 12:26:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADFCA16A4CF for ; Wed, 10 Dec 2003 12:26:27 -0800 (PST) Received: from raven.bjn.net (raven.bjn.net [193.73.230.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id E103643D2D for ; Wed, 10 Dec 2003 12:26:25 -0800 (PST) (envelope-from bruce@nikkel.com) Received: (from bruce@localhost) by raven.bjn.net (8.11.7p1+Sun/8.11.7) id hBAKQNn02868 for security@freebsd.org; Wed, 10 Dec 2003 21:26:23 +0100 (MET) From: bruce@nikkel.com Date: Wed, 10 Dec 2003 21:26:23 +0100 To: security@freebsd.org Message-ID: <20031210202623.GC1458@nikkel.com> Mail-Followup-To: security@freebsd.org References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost> User-Agent: Mutt/1.5.3i Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 20:26:27 -0000 > What's needed is one-time passwords for "basic" authentication in > Apache. The problem with using s/key (or opie) together with http basic auth is the repetive nature of http requests. The webserver would expect see the basic authentication string with every single request. You would be promtped for your next onetime password for every single gif or link on the page requested. I don't know how practical that would be. Bruce Nikkel --