---- Original message ---- >Date: Fri, 15 Sep 2006 14:21:22 +0200 >From: viq <[EMAIL PROTECTED]> >Subject: Re: webbased authpf ? >To: misc@openbsd.org > >On 9/15/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: >> On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: >> > Is there someting which does "Authpf" like things, only via a website >> > ? So the users authenticates on the website, then the firewall rules >> > are loaded! >> > >> > Another idea I have is to simply have users authenticate, then they >> > can download a ssh key with which they can login. >> >> It shouldn't be that hard to hack the authpf source to do what you want; >> the downside is mostly in the fact that this is a lot of trust to place >> in a web site... >> >> The other option is comparatively easy, if you avoid the many pitfalls >> (notably, the key shouldn't be reachable from the web site, of course, >> but should probably not even be readable for scripts on the web site; >> use a s(u|g)id program to check credentials and read the key if they are >> correct). > >Maybe instead of having the ever-valid ssh key available through web >have a script generate a single S/Key password for user, invalidating >the last one in case it was not used yet? >
when i used to have access to HPC clusters for running simulations, a similar method to what the OP suggested was used for authentication: provide a login/password over the web to get their firewall to open up a port for you to ssh into for 8 hours at time. the only problem i forsee with what you suggest is that apache would likely have to break its default chroot to run a script to update authpf files in /etc/authpf. if there is a way around breaking the chroot, such as having authpf look for its config files in a different location that is accessible to apache (e.g. /var/www/etc/authpf), that could work but i cannot speak from experience. viq, i like the idea of using s/key passwords, although i'm not sure if it will suffer from the same chroot problems as what i mentioned above. cheers, jake >> Joachim >> >> > > >-- >viq
