s/key authentication for Apache on FreeBSD?
Brett Glass
brett at lariat.org
Wed Dec 10 16:50:08 PST 2003
At 01:29 PM 12/10/2003, James Welcher wrote:
>Maybe not the solution you are looking for, but I wouldn't write a
>one-time password solution as an apache module. It seems to me like it
>would be rather complex to implement and you would still have to have
>manage users keys and generate the "little slips of paper" or educate
>the users to employ some kind of s/key or opie algorithm on their PDA
>or via some other host.
The people in question have Palm Pilots. And, yes, in a pinch
slips of paper could be generated. The key thing is to be able
to get in from a public kiosk without the risk of compromised
passwords.
Bruce Nikkel writes:
>The problem with using s/key (or opie) together with http basic auth is
>the repetive nature of http requests. The webserver would expect see
>the basic authentication string with every single request. You would be
>promtped for your next onetime password for every single gif or link on
>the page requested. I don't know how practical that would be.
If this is true, then I'd have to write a Perl authentication module
that called s/key once and authorized an IP until the user clicked
a "logout" button or a certain amount of time elapsed. So, I'd be
using mod_perl *and* PAM. A bit more complex, but I can do it if I must.
Are you sure that Apache will try to authorize again on every hit?
--Brett
More information about the freebsd-security
mailing list