Date: Wed, 10 Dec 2003 13:30:02 -0800 (PST) From: Jason Stone <freebsd-security@dfmm.org> To: security@freebsd.org Subject: Re: s/key authentication for Apache on FreeBSD? Message-ID: <20031210132049.D3696@walter> In-Reply-To: <20031210202623.GC1458@nikkel.com> References: <6.0.0.22.2.20031210115335.04c2fc50@localhost> <6.0.0.22.2.20031210124332.04e94ac0@localhost> <20031210202623.GC1458@nikkel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > What's needed is one-time passwords for "basic" authentication in > > Apache. > > The problem with using s/key (or opie) together with http basic auth is > the repetive nature of http requests. The webserver would expect see > the basic authentication string with every single request. You would be > promtped for your next onetime password for every single gif or link on > the page requested. I don't know how practical that would be. Good point. You'd have to implement your own sessioning and authentication entirely within your app, which always sucks. An additional issue with http basic auth and an opie calculator is that opie is challenge based - you compute the response based on the iteration count and a salt string. So the user's browser is going to have to be convinced to show him the challenge so he can enter it into the calculator, but most browsers won't show you the html returned by the initial 401 request until _after_ the user has failed or bailed out of the authentication process. You could possibly coerce apache into dynamically inserting the challenge into the authentication "realm," but that probably precludes using a standard mod_auth_pam type of thing. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/15BaswXMWWtptckRAg/GAJ98SUI6OKPgzpkgPtprY1ZZcOQsHgCgnHTn Ie+hQDmdVGC/6umkttdYMV4= =3acd -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031210132049.D3696>