On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > I'm sorry, I meant can I lock down access to my web stuff so that a > >> > particular user can only come from a particular device (or from any > >> > device containing a key). > > > > You can use apache client authentication with SSL certificates only. Of > > course you will need to create a self-signed CA, which you will use to > > create the web server public/private key pair and also sign each client's > > certificate and upload it along with your CA certificate to the user's > > browser. This explains the principle: > > > > http://wiki.cacert.org/HELP/9 > > > > > > Ditto with the VPN connection - should you still want to use VPN. > > Let me see if I'm following. I could create a certificate and point > the browser to it in config and configure my web server to require the > certificate for HTTP basic authentication?
Well, yes, but it won't be HTTP. It will be HTTPS. The server will request a
client certificate, verify that it has been signed by the CA you defined in
SSLCACertificateFile and allow it to access the web directory. You can allow
different certificates per directory on your server, if you so wish and define
in SSLRequire directive which SSL_CLIENT_S_DN_OU values are acceptable; e.g.
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Grant's Software, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Testers", "Dev"}
You will need to have the Client Certificate and private key imported in the
user's browser, or in MSWindows also import them using certmgr.msc to make
them available to any Windows-centric applications.
> Can I require a
> username/password along with the certificate? Can I require the
> certificate only for certain users?
Yes, but for specifics have a look under SSLOptions:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions
Read FakeBasicAuth and StrictRequire. So, for example:
SSLOptions +FakeBasicAuth +StrictRequire
will allow client SSL certificate authentication as an alternative to Basic
passwd authentication.
> > If a user certificate is lost of feared compromised, you revoke it with
> > your CA and upload the CRL to the server.
> >
> > However, this won't do away with XSS, or other similar attack vectors if
> > the users are not careful with their browsing habits.
>
> Can you give me an example?
If your coder has another website page open in his/her browser which contains
for example XSS or CSRF code, then the webpage of your company's web app could
be potentially compromised by your user inadvertently executing state changing
commands on it. By providing a XSS payload the attacker could execute
commands to change username/passwd, change email address, etc. This is one
reason that Internet Banking providers always advise their users to log out
and then exit their browser when they have finished their online banking.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
