I'm constructing a Web server which may require restricted areas of the site to be used from public places where a password might be sniffed. The damage that could be done by taking snapshots of the content from one session with a spy program is minimal. What the owner of the server does NOT want, though, is to allow unauthorized parties to gain unfettered access by stealing the password via a key sniffer. After considering the readily available alternatives, I'd like to try using s/key one-time passwords with "basic" authentication (which works on most browsers). But how do I lash Apache and s/key together under FreeBSD, and get Apache to require s/key passwords from all IP addresses outside the owner's home network? (Apache doesn't have a mod_auth_skey module, so I'd probably have to cobble this together with mod_perl -- or via PAM, with which I have virtually no experience.) All suggestions as to the most efficient way to construct a solution will be most welcome. --Brett Glass
Brett Glass writes:> After considering the readily available alternatives, I'd like to > try using s/key one-time passwords with "basic" authentication (which > works on most browsers). But how do I lash Apache and s/key together > under FreeBSD, and get Apache to require s/key passwords from all > IP addresses outside the owner's home network? (Apache doesn't have > a mod_auth_skey module, so I'd probably have to cobble this together > with mod_perl -- or via PAM, with which I have virtually no experience.) > All suggestions as to the most efficient way to construct a solution > will be most welcome.PAM is the most sensible. Once set up, it hands over a whole lot of policy to one set of config files, and this makes sysadmins jons much easier. Learning PAM is well worth your while. M -- Mark Murray iumop ap!sdn w,I idlaH
At 07:39 AM 12/10/2003, Kyle Amon wrote:>It sounds like you're going all crazy here.It does?> Unfortunately, what you've >written to describe your requirement is not very precise. Assuming you >are not concerned about "keystroke loggers"You must have misunderstood my message: This is EXACTLY what the owner is concerned about. Encrypting the content is not as important as preventing unfettered future access via a password stolen by sniffing either the network or the keyboard. Thus, SSL -- while it might be nice -- is optional. What's needed is one-time passwords for "basic" authentication in Apache. --Brett Glass
Brett Glass wrote:> I'm constructing a Web server which may require restricted areas > of the site to be used from public places where a password might > be sniffed. The damage that could be done by taking snapshots of > the content from one session with a spy program is minimal. What > the owner of the server does NOT want, though, is to allow unauthorized > parties to gain unfettered access by stealing the password via > a key sniffer.Be warned that an attacker would probably be able to issue more commands after user thinks he has logged out (when user used compromised machine). Slawek
An excellent reason to use SSL together with S/key. --Brett At 06:02 PM 12/10/2003, Michael Sierchio wrote:>The problem with S/key or OPIE authentication is that it >is sadly subject to a MITM attack, and relies on >blind trust in the server. > >The challenge is not a random challenge, it is unfortunately >a sequence number and salt -- if I trick you into typing in >the one-time password with a lower sequence number than the >current one you are proper fucked. I can then generate all of >the subsequent "one-time" passwords. > >If you have a half-authenticated SSL connection, and are >conducting the exchange over it, then it should be fine.