Hi, i got a reply who suggests using pgp authentication. That is a wonderfull idea. Many teachers have android-smartphones and one could build a very easy to use solution based upon the "something you have" (private key) pattern. Alas it will not work here. Quite often the teachers will give the pupils the possibility to switch on internet acces by their own. Thats why i have otp-lists. The pupils get one number of the list. If i switch to private/public keys they would simple get the keys :-( I wouldn't say, that the idea of pgp is dead, but if is use that path, it would take a bit more effort, maybe i could use smartcards or something like that to store the key. Momentarily that is a too big project. So, any suggestions on how to use multiple otp?
Thanks a lot Malte Müller Am 28.2.2011 15:36, schrieb Spezifikum: > Hi, > i read about fwknop in the german it magazine iX (03/2011). It seems > like a perfect fit for my use case here, but i need something like > multiple otp lists, one per user. I know that allowing multiple users > manipulating the firewall is a bit strange, but it is the best solution > i came across so far. Currently i am using a website (PHP) written to > accomplish that task, but port knocking would be much better and easier > to maintain. > In a school environment i need to grant internet-acces (http(s), ftp, > pop, imap, sftp) on demand to a group of computers. Currently the > teacher opens the web-page, logs in with his name and an otp which is > stored in a database, one table per user, and grants inet access to one > room. In the background a php script calls a script which manipulates > the firewall. The script is setuid-root by the way (with a wrapper of > course). Technically this works like charm, but i do not like setuid > root executes shell-scripts by php-pages. > What i would need to do is to make fwknop look up the knock sequence or > a part of it in a database, be it an internal or external like mysql. > Let's say the user/teacher Joe has the number 0001 assigned then the > sequence 0001 7331 0001 1234 1234 would execute the start command if the > number "7331" is the next unused number in the table "0001". > Another way would be to create one set of entries per user in the config > file, where one set consists of two entries per group of computer. That > would currently result in 80 * 2 * 8 entries. > Could anybody help me and tell me > a) if that is possible in a sense that it doesn't conflict with fwknop's > design? > b) and where in the sources of the perl version the changes would have > to be done? > > Thanks a lot > Malte Müller ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
