You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "ml@bortal.de" <ml...@bortal.de> on 2009/04/02 12:12:20 UTC
[users@httpd] Looking for cheap and secure Authentification - Build own OTP?
Hello List,
we would like to protect a Web-Application Server (lets say Outlook
Webaccess or whatever) by using a Reverse Proxy / Apache. This works out
quite well so far.
- - -
Now we would like to add an Authentification, so that only Users who
pass the Reverse Proxy auth, will get to the Web-App login. This can be
done by some htacces and static passwords. The disatvantage is, that
this are static passwords and they could be stored by keyloggers. So we
need some kind of one time passwords (OTP).
Is there a way to add some random "salt" to the http authentification?
- - -
I had the following idea (http://i39.tinypic.com/zmyyjs.jpg):
The User gets to some Login Page (PHP) where he enters his
Username/Password. Then PHP asks him for his 3, 6 and 12 Digit of his
Passport-ID (this can be random). After submitting this, we could set
this User/Password+(Append RandomNumber) combinations in a Database
where htaccess could try to auth against. This would mean, that the user
wold have to enter his Login-Information AGAIN using
User/Password+(Appended RandomNumber).
Is there a way to get rid of the http access prompt?
Or is there maybe a complete other way to do a secure and cheap OTP
authentification?
Any ideas?
Cheers,
Mario
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Looking for cheap and secure Authentification - Build own OTP?
Posted by Richard Peacock <ri...@minorplanet.com>.
At work we have a series of changing passwords, they are based around
the date. For example, the least secure of our passwords would be worked
out something like:
9999 - mmdd = password
So if the date is April 02 2009, then the mmdd string would be 0402.
The password would be calculated as
9999 - 0402 = 9597
Although the password would only change once a day, I am sure from this
you could engineer something to change per hour or even minute if
desired?
-----Original Message-----
From: ml@bortal.de [mailto:ml@bortal.de]
Sent: 02 April 2009 11:12
To: users@httpd.apache.org
Subject: [users@httpd] Looking for cheap and secure Authentification -
Build own OTP?
Hello List,
we would like to protect a Web-Application Server (lets say Outlook
Webaccess or whatever) by using a Reverse Proxy / Apache. This works out
quite well so far.
- - -
Now we would like to add an Authentification, so that only Users who
pass the Reverse Proxy auth, will get to the Web-App login. This can be
done by some htacces and static passwords. The disatvantage is, that
this are static passwords and they could be stored by keyloggers. So we
need some kind of one time passwords (OTP).
Is there a way to add some random "salt" to the http authentification?
- - -
I had the following idea (http://i39.tinypic.com/zmyyjs.jpg):
The User gets to some Login Page (PHP) where he enters his
Username/Password. Then PHP asks him for his 3, 6 and 12 Digit of his
Passport-ID (this can be random). After submitting this, we could set
this User/Password+(Append RandomNumber) combinations in a Database
where htaccess could try to auth against. This would mean, that the user
wold have to enter his Login-Information AGAIN using
User/Password+(Appended RandomNumber).
Is there a way to get rid of the http access prompt?
Or is there maybe a complete other way to do a secure and cheap OTP
authentification?
Any ideas?
Cheers,
Mario
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
**********************************************************************
Privileged/Confidential Information may be contained in this
message. If you are not the addressee indicated in this
message (or responsible for delivery of the message to such
person), you must not copy, distribute or take any action in
reliance to it.
In such case, you should destroy this message and kindly
notify the sender by reply email. Please advise immediately
if you or your employer do not consent to Internet email for
messages of this kind. Opinions, conclusions and other
information in this message that do not relate to the official
business of Minorplanet Systems plc shall be understood as
neither given nor endorsed by it. Minorplanet Systems plc, Registration no: 3372097
Minorplanet Limited, Registration no: 4072786
Greenwich House, 223 North Street, Leeds, LS7 2AA
VAT #: 698 1438 86
**********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Looking for cheap and secure Authentification -
Build own OTP?
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Apr 2, 2009 at 2:30 PM, Krist van Besien
<kr...@gmail.com> wrote:
> On Thu, Apr 2, 2009 at 12:12 PM, ml@bortal.de <ml...@bortal.de> wrote:
>
>> Now we would like to add an Authentification, so that only Users who pass
>> the Reverse Proxy auth, will get to the Web-App login. This can be done by
>> some htacces and static passwords. The disatvantage is, that this are static
>> passwords and they could be stored by keyloggers. So we need some kind of
>> one time passwords (OTP).
>>
>> Is there a way to add some random "salt" to the http authentification?
>
> If you have mod_perl you can use one of many mod_perl authentication
> modules. One example is:
>
> http://search.cpan.org/~tobeya/Apache2-AuthenSecurID-0.5/Auth/Auth.pm
>
> Which can use a SecurID server...
Ofcourse that wouldn't be cheap. Another alternative is to mod_auth_external
http://unixpapa.com/mod_auth_external.html
With this module you can basically use anything for authentication.
You could for example use S/Key one time passwords with this.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Looking for cheap and secure Authentification -
Build own OTP?
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Apr 2, 2009 at 12:12 PM, ml@bortal.de <ml...@bortal.de> wrote:
> Now we would like to add an Authentification, so that only Users who pass
> the Reverse Proxy auth, will get to the Web-App login. This can be done by
> some htacces and static passwords. The disatvantage is, that this are static
> passwords and they could be stored by keyloggers. So we need some kind of
> one time passwords (OTP).
>
> Is there a way to add some random "salt" to the http authentification?
If you have mod_perl you can use one of many mod_perl authentication
modules. One example is:
http://search.cpan.org/~tobeya/Apache2-AuthenSecurID-0.5/Auth/Auth.pm
Which can use a SecurID server...
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org