Date: Wed, 10 Dec 2003 15:29:29 -0500 From: James Welcher <james@buszard-welcher.com> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <16343.33321.632599.190251@oscar.buszard-welcher.com> In-Reply-To: <6.0.0.22.2.20031210124332.04e94ac0@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Brett" == Brett Glass <brett@lariat.org> writes: Brett> You must have misunderstood my message: This is EXACTLY Brett> what the owner is concerned about. Encrypting the content Brett> is not as important as preventing unfettered future access Brett> via a password stolen by sniffing either the network or the Brett> keyboard. Thus, SSL -- while it might be nice -- is Brett> optional. What's needed is one-time passwords for "basic" Brett> authentication in Apache. Maybe not the solution you are looking for, but I wouldn't write a one-time password solution as an apache module. It seems to me like it would be rather complex to implement and you would still have to have manage users keys and generate the "little slips of paper" or educate the users to employ some kind of s/key or opie algorithm on their PDA or via some other host. I have seen some websites employ (don't shudder) a JavaScript "mini-keyboard" where you can click on letters to "type in" a passphrase. This avoids local keyboard sniffers users and admins don't have to mess with one time passwords. It should also work with any browser, assuming you do the JavaScript right. Far be it from me to recommend JavaScript for anything but then again, I think you would have a more portable solution with less headaches (barring the initial JavaScript development) and if a user is on a "trusted" machine, they can just type in the passphrase without using the JavaScript widget. Of course, SSL is no longer optional in this case. James
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16343.33321.632599.190251>