Date: Thu, 11 Dec 2003 11:15:51 +0100 From: bruce@nikkel.com To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <20031211101551.GA27435@nikkel.com> In-Reply-To: <6.0.0.22.2.20031210173916.04f57be8@localhost> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <20031210093927.70c87960.amonk@gnutec.com> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <16343.33321.632599.190251@oscar.buszard-welcher.com> <6.0.0.22.2.20031210173916.04f57be8@localhost>
index | next in thread | previous in thread | raw e-mail
On Wed, Dec 10, 2003 at 05:47:00PM -0700, Brett Glass wrote: > >The problem with using s/key (or opie) together with http basic auth is > >the repetive nature of http requests. The webserver would expect see > >the basic authentication string with every single request. You would be > >promtped for your next onetime password for every single gif or link on > >the page requested. I don't know how practical that would be. > > If this is true, then I'd have to write a Perl authentication module > that called s/key once and authorized an IP until the user clicked > a "logout" button or a certain amount of time elapsed. So, I'd be > using mod_perl *and* PAM. A bit more complex, but I can do it if I must. > Are you sure that Apache will try to authorize again on every hit? If the basic auth string was not included in an http request, the webserver would generate a error 401 (Unauthorized). Check out RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication). Bruce Nikkel --help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031211101551.GA27435>