From owner-freebsd-security@FreeBSD.ORG Wed Dec 10 16:50:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27AA916A4CF for ; Wed, 10 Dec 2003 16:50:08 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4573543D2E for ; Wed, 10 Dec 2003 16:50:06 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA23304; Wed, 10 Dec 2003 17:49:56 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031210173916.04f57be8@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 10 Dec 2003 17:47:00 -0700 To: James Welcher From: Brett Glass In-Reply-To: <16343.33321.632599.190251@oscar.buszard-welcher.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: Kyle Amon cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Dec 2003 00:50:08 -0000 At 01:29 PM 12/10/2003, James Welcher wrote: >Maybe not the solution you are looking for, but I wouldn't write a >one-time password solution as an apache module. It seems to me like it >would be rather complex to implement and you would still have to have >manage users keys and generate the "little slips of paper" or educate >the users to employ some kind of s/key or opie algorithm on their PDA >or via some other host. The people in question have Palm Pilots. And, yes, in a pinch slips of paper could be generated. The key thing is to be able to get in from a public kiosk without the risk of compromised passwords. Bruce Nikkel writes: >The problem with using s/key (or opie) together with http basic auth is >the repetive nature of http requests. The webserver would expect see >the basic authentication string with every single request. You would be >promtped for your next onetime password for every single gif or link on >the page requested. I don't know how practical that would be. If this is true, then I'd have to write a Perl authentication module that called s/key once and authorized an IP until the user clicked a "logout" button or a certain amount of time elapsed. So, I'd be using mod_perl *and* PAM. A bit more complex, but I can do it if I must. Are you sure that Apache will try to authorize again on every hit? --Brett