Advice: "The Right" authentication method

Fri Sep 24 20:13:16 PDT 2004

Al Johnson wrote:
> On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote:
> 
>>On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote:
>>
>>>I'm working on writing the "Control Panel" scripts which subscribers to 
>>>our ISP will use to set up their eMail accounts and web space.
>>>
>>>Here's the Server spec:
>>>
>>>FreeBSD-Current;
>>>Perl 5.6.1, no problem installing any needed modules;
>>>Apache 2;
>>>I'm keeping ordinary customers off the machine, so I run Postfix and 
>>>Cyus and use sasl2 for customer passwords. I'd like to use these ID to 
>>>arrange access to the control panel system.
>>>
>>>I'm stuck at the very start of my design process. I have two tasks to 
>>>do:
>>>
>>>Verify that users have supplied the correct password; and let the perl 
>>>scripts know who that visitor is, so that we can select the correct 
>>>accounts to show.
>>>
>>>Do I use SASL directly? or LDAP? or do I implement an Apache module to 
>>>handle access and let Apache do the work?
>>>
>>>I want to do "The right thing" - that is, the most general and correct 
>>>thing possible, I've got years of experience in perl scripting, but at 
>>>the moment I wandering around in a twisty litte maze of standards, all 
>>>different.
>>>
>>>Clue, please?
>>
>>You're basically writing a web application.  For which you need access
>>control.  You've got two choices: either use the HTTP basic or HTTP
>>digest auth mechanisms built into HTTP, and supported by Apache, or
>>(and this is by far the most popular choice) write your own
>>authentication mechanism as part of your application[1].
>>
>>The second choice gives you a lot more flexibility about how you
>>customise things and how you make the login screen look, which is
>>probably why it's more popular.  You can also arrange things to avoid
>>sending passwords across the net in cleartext if you're cunning
>>enough.
>>
>>However you do it, the authentication process is essentially that the
>>client sends you two pieces of information: their username (ie. who
>>they claim to be) and some form of secret.  The secret is usually a
>>password, but it can be something more complicated like an Opie
>>one-time password or whatever.  Then in your application you compare
>>the secret to your stored version of it, and if they match you believe
>>that the client is who they say they are and that they should have
>>access.  Of course, you don't want to keep the secret values lying
>>around in plain text: the standard Unix response to all that is to
>>generate a password hash using DES or MD5 to store, and to try and
>>recreate that hash using the password supplied by the user.
>>
>>That's where SASL comes in: instead of having to code up all that
>>stuff your self, SASL is a library of authentication methods that you
>>can just plug into your application.
>>
>>Yes, you will need some sort of user account database -- often
>>implemented using a RDBMS, but could with little extra effort be made
>>to operate against an LDAP or RADIUS server.  Or whatever the database
>>type you're already using for your Postfix+Cyrus setup.
>>
>>There are several examples of doing this sort of thing within the
>>ports system -- most are written in PHP, but check out devel/bugzilla
>>and www/rt3 for perl based examples.
>>
>>	Cheers,
>>
>>	Matthew
> 
> 
> I'd be grateful if someone would point out some examples of SASL
> authentication using PHP in the ports.
> 
> I've searched through the ports, but had no luck finding any.
> 
It looks like there is a SASL implementation in PEAR
http://pear.php.net/package/Auth_SASL/docs/1.0.0/li_Auth_SASL.html

You might try and start here:
  http://www.freshports.org/security/pear-Auth_SASL/


hth,
Jeff