Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Dec 2003 17:47:00 -0700
From:      Brett Glass <brett@lariat.org>
To:        James Welcher <james@buszard-welcher.com>
Cc:        security@freebsd.org
Subject:   Re: s/key authentication for Apache on FreeBSD?
Message-ID:  <6.0.0.22.2.20031210173916.04f57be8@localhost>
In-Reply-To: <16343.33321.632599.190251@oscar.buszard-welcher.com>
References:  <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 01:29 PM 12/10/2003, James Welcher wrote:

>Maybe not the solution you are looking for, but I wouldn't write a
>one-time password solution as an apache module. It seems to me like it
>would be rather complex to implement and you would still have to have
>manage users keys and generate the "little slips of paper" or educate
>the users to employ some kind of s/key or opie algorithm on their PDA
>or via some other host.

The people in question have Palm Pilots. And, yes, in a pinch
slips of paper could be generated. The key thing is to be able
to get in from a public kiosk without the risk of compromised
passwords.

Bruce Nikkel writes:

>The problem with using s/key (or opie) together with http basic auth is
>the repetive nature of http requests. The webserver would expect see
>the basic authentication string with every single request. You would be
>promtped for your next onetime password for every single gif or link on
>the page requested. I don't know how practical that would be.

If this is true, then I'd have to write a Perl authentication module
that called s/key once and authorized an IP until the user clicked
a "logout" button or a certain amount of time elapsed. So, I'd be
using mod_perl *and* PAM. A bit more complex, but I can do it if I must.
Are you sure that Apache will try to authorize again on every hit?

--Brett

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031210173916.04f57be8>