Date: Fri, 24 Sep 2004 21:22:22 -0400 From: Al Johnson <ajhonson3391@tampabay.rr.com> To: freebsd-questions@freebsd.org Subject: Re: Advice: "The Right" authentication method Message-ID: <20040925012222.GB72298@bhunter.net> In-Reply-To: <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk> References: <D46B23FA-0D4E-11D9-AE37-000D93511A6A@hhbb.co.uk> <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: > On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: > > I'm working on writing the "Control Panel" scripts which subscribers to > > our ISP will use to set up their eMail accounts and web space. > > > > Here's the Server spec: > > > > FreeBSD-Current; > > Perl 5.6.1, no problem installing any needed modules; > > Apache 2; > > I'm keeping ordinary customers off the machine, so I run Postfix and > > Cyus and use sasl2 for customer passwords. I'd like to use these ID to > > arrange access to the control panel system. > > > > I'm stuck at the very start of my design process. I have two tasks to > > do: > > > > Verify that users have supplied the correct password; and let the perl > > scripts know who that visitor is, so that we can select the correct > > accounts to show. > > > > Do I use SASL directly? or LDAP? or do I implement an Apache module to > > handle access and let Apache do the work? > > > > I want to do "The right thing" - that is, the most general and correct > > thing possible, I've got years of experience in perl scripting, but at > > the moment I wandering around in a twisty litte maze of standards, all > > different. > > > > Clue, please? > > You're basically writing a web application. For which you need access > control. You've got two choices: either use the HTTP basic or HTTP > digest auth mechanisms built into HTTP, and supported by Apache, or > (and this is by far the most popular choice) write your own > authentication mechanism as part of your application[1]. > > The second choice gives you a lot more flexibility about how you > customise things and how you make the login screen look, which is > probably why it's more popular. You can also arrange things to avoid > sending passwords across the net in cleartext if you're cunning > enough. > > However you do it, the authentication process is essentially that the > client sends you two pieces of information: their username (ie. who > they claim to be) and some form of secret. The secret is usually a > password, but it can be something more complicated like an Opie > one-time password or whatever. Then in your application you compare > the secret to your stored version of it, and if they match you believe > that the client is who they say they are and that they should have > access. Of course, you don't want to keep the secret values lying > around in plain text: the standard Unix response to all that is to > generate a password hash using DES or MD5 to store, and to try and > recreate that hash using the password supplied by the user. > > That's where SASL comes in: instead of having to code up all that > stuff your self, SASL is a library of authentication methods that you > can just plug into your application. > > Yes, you will need some sort of user account database -- often > implemented using a RDBMS, but could with little extra effort be made > to operate against an LDAP or RADIUS server. Or whatever the database > type you're already using for your Postfix+Cyrus setup. > > There are several examples of doing this sort of thing within the > ports system -- most are written in PHP, but check out devel/bugzilla > and www/rt3 for perl based examples. > > Cheers, > > Matthew I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. -- Wager at the Golden Plate Casino! http://www.landoverbaptist.org/news0502/goldenplate.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040925012222.GB72298>