Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Dec 2003 15:29:29 -0500
From:      James Welcher <james@buszard-welcher.com>
To:        Brett Glass <brett@lariat.org>
Cc:        security@freebsd.org
Subject:   Re: s/key authentication for Apache on FreeBSD?
Message-ID:  <16343.33321.632599.190251@oscar.buszard-welcher.com>
In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost>
References:  <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>>>> "Brett" == Brett Glass <brett@lariat.org> writes:

    Brett> You must have misunderstood my message: This is EXACTLY
    Brett> what the owner is concerned about. Encrypting the content
    Brett> is not as important as preventing unfettered future access
    Brett> via a password stolen by sniffing either the network or the
    Brett> keyboard. Thus, SSL -- while it might be nice -- is
    Brett> optional.  What's needed is one-time passwords for "basic"
    Brett> authentication in Apache.

Maybe not the solution you are looking for, but I wouldn't write a
one-time password solution as an apache module. It seems to me like it
would be rather complex to implement and you would still have to have
manage users keys and generate the "little slips of paper" or educate
the users to employ some kind of s/key or opie algorithm on their PDA
or via some other host.

I have seen some websites employ (don't shudder) a JavaScript
"mini-keyboard" where you can click on letters to "type in" a
passphrase. This avoids local keyboard sniffers users and admins don't
have to mess with one time passwords. It should also work with any
browser, assuming you do the JavaScript right.

Far be it from me to recommend JavaScript for anything but
then again, I think you would have a more portable solution
with less headaches (barring the initial JavaScript development)
and if a user is on a "trusted" machine, they can just type
in the passphrase without using the JavaScript widget.

Of course, SSL is no longer optional in this case.

James

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16343.33321.632599.190251>