From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 12:29:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8976116A4CE for ; Wed, 10 Dec 2003 12:29:39 -0800 (PST) Received: from grover.buszard-welcher.com (grover.buszard-welcher.com [209.133.111.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6AFD43D1F for ; Wed, 10 Dec 2003 12:29:33 -0800 (PST) (envelope-from james@oscar.buszard-welcher.com) Received: from oscar.buszard-welcher.com (nic-29-c98-29.twmi.rr.com [65.29.98.29])hBAKXfpe062998; Wed, 10 Dec 2003 15:33:41 -0500 (EST) (envelope-from james@oscar.buszard-welcher.com) Received: from oscar.buszard-welcher.com (localhost [127.0.0.1]) hBAKTTEO073764; Wed, 10 Dec 2003 15:29:29 -0500 (EST) (envelope-from james@oscar.buszard-welcher.com) Received: (from james@localhost)hBAKTTvw073761; Wed, 10 Dec 2003 15:29:29 -0500 (EST) (envelope-from james) From: James Welcher MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16343.33321.632599.190251@oscar.buszard-welcher.com> Date: Wed, 10 Dec 2003 15:29:29 -0500 To: Brett Glass In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> X-Mailer: VM 7.14 under 21.4 (patch 12) "Portable Code" XEmacs Lucid Precedence: special-delivery X-Face: QxvMDEbk6bgcZl77ymq+a.Y; ['7-d@I|![:i^y[c)@|_(b!z. cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 20:29:39 -0000 >>>>> "Brett" == Brett Glass writes: Brett> You must have misunderstood my message: This is EXACTLY Brett> what the owner is concerned about. Encrypting the content Brett> is not as important as preventing unfettered future access Brett> via a password stolen by sniffing either the network or the Brett> keyboard. Thus, SSL -- while it might be nice -- is Brett> optional. What's needed is one-time passwords for "basic" Brett> authentication in Apache. Maybe not the solution you are looking for, but I wouldn't write a one-time password solution as an apache module. It seems to me like it would be rather complex to implement and you would still have to have manage users keys and generate the "little slips of paper" or educate the users to employ some kind of s/key or opie algorithm on their PDA or via some other host. I have seen some websites employ (don't shudder) a JavaScript "mini-keyboard" where you can click on letters to "type in" a passphrase. This avoids local keyboard sniffers users and admins don't have to mess with one time passwords. It should also work with any browser, assuming you do the JavaScript right. Far be it from me to recommend JavaScript for anything but then again, I think you would have a more portable solution with less headaches (barring the initial JavaScript development) and if a user is on a "trusted" machine, they can just type in the passphrase without using the JavaScript widget. Of course, SSL is no longer optional in this case. James