Re: Advice: The Right authentication method
Al Johnson wrote: On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: There are several examples of doing this sort of thing within the ports system -- most are written in PHP, but check out devel/bugzilla and www/rt3 for perl based examples. Cheers, Matthew I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. Probably squirrelmail fits this description. KDK ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice: The Right authentication method
On Sat, Sep 25, 2004 at 01:26:42AM -0500, Kevin D. Kinsey, DaleCo, S.P. wrote: Al Johnson wrote: On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: There are several examples of doing this sort of thing within the ports system -- most are written in PHP, but check out devel/bugzilla and www/rt3 for perl based examples. I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. Probably squirrelmail fits this description. Actually I must apologise for being unclear. The sort of thing I was referring to were web applications that manage their own password database in general, not specifically those that use SASL. However, Kevin is right: squirrelmail does contain examples of using SASL to log into IMAP. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpR5BOXodOQC.pgp Description: PGP signature
Re: Advice: The Right authentication method
Actually I must apologise for being unclear. The sort of thing I was referring to were web applications that manage their own password database in general, not specifically those that use SASL. However, Kevin is right: squirrelmail does contain examples of using SASL to log into IMAP. Cheers, Matthew Thanks, Matthew. I try to read everything you post. You've been very helpful during the 2 1/2 years that I've read this list. -- Wager at the Golden Plate Casino! http://www.landoverbaptist.org/news0502/goldenplate.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice: The Right authentication method
On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: I'm working on writing the Control Panel scripts which subscribers to our ISP will use to set up their eMail accounts and web space. Here's the Server spec: FreeBSD-Current; Perl 5.6.1, no problem installing any needed modules; Apache 2; I'm keeping ordinary customers off the machine, so I run Postfix and Cyus and use sasl2 for customer passwords. I'd like to use these ID to arrange access to the control panel system. I'm stuck at the very start of my design process. I have two tasks to do: Verify that users have supplied the correct password; and let the perl scripts know who that visitor is, so that we can select the correct accounts to show. Do I use SASL directly? or LDAP? or do I implement an Apache module to handle access and let Apache do the work? I want to do The right thing - that is, the most general and correct thing possible, I've got years of experience in perl scripting, but at the moment I wandering around in a twisty litte maze of standards, all different. Clue, please? You're basically writing a web application. For which you need access control. You've got two choices: either use the HTTP basic or HTTP digest auth mechanisms built into HTTP, and supported by Apache, or (and this is by far the most popular choice) write your own authentication mechanism as part of your application[1]. The second choice gives you a lot more flexibility about how you customise things and how you make the login screen look, which is probably why it's more popular. You can also arrange things to avoid sending passwords across the net in cleartext if you're cunning enough. However you do it, the authentication process is essentially that the client sends you two pieces of information: their username (ie. who they claim to be) and some form of secret. The secret is usually a password, but it can be something more complicated like an Opie one-time password or whatever. Then in your application you compare the secret to your stored version of it, and if they match you believe that the client is who they say they are and that they should have access. Of course, you don't want to keep the secret values lying around in plain text: the standard Unix response to all that is to generate a password hash using DES or MD5 to store, and to try and recreate that hash using the password supplied by the user. That's where SASL comes in: instead of having to code up all that stuff your self, SASL is a library of authentication methods that you can just plug into your application. Yes, you will need some sort of user account database -- often implemented using a RDBMS, but could with little extra effort be made to operate against an LDAP or RADIUS server. Or whatever the database type you're already using for your Postfix+Cyrus setup. There are several examples of doing this sort of thing within the ports system -- most are written in PHP, but check out devel/bugzilla and www/rt3 for perl based examples. Cheers, Matthew I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. -- Wager at the Golden Plate Casino! http://www.landoverbaptist.org/news0502/goldenplate.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice: The Right authentication method
Al Johnson wrote: On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: I'm working on writing the Control Panel scripts which subscribers to our ISP will use to set up their eMail accounts and web space. Here's the Server spec: FreeBSD-Current; Perl 5.6.1, no problem installing any needed modules; Apache 2; I'm keeping ordinary customers off the machine, so I run Postfix and Cyus and use sasl2 for customer passwords. I'd like to use these ID to arrange access to the control panel system. I'm stuck at the very start of my design process. I have two tasks to do: Verify that users have supplied the correct password; and let the perl scripts know who that visitor is, so that we can select the correct accounts to show. Do I use SASL directly? or LDAP? or do I implement an Apache module to handle access and let Apache do the work? I want to do The right thing - that is, the most general and correct thing possible, I've got years of experience in perl scripting, but at the moment I wandering around in a twisty litte maze of standards, all different. Clue, please? You're basically writing a web application. For which you need access control. You've got two choices: either use the HTTP basic or HTTP digest auth mechanisms built into HTTP, and supported by Apache, or (and this is by far the most popular choice) write your own authentication mechanism as part of your application[1]. The second choice gives you a lot more flexibility about how you customise things and how you make the login screen look, which is probably why it's more popular. You can also arrange things to avoid sending passwords across the net in cleartext if you're cunning enough. However you do it, the authentication process is essentially that the client sends you two pieces of information: their username (ie. who they claim to be) and some form of secret. The secret is usually a password, but it can be something more complicated like an Opie one-time password or whatever. Then in your application you compare the secret to your stored version of it, and if they match you believe that the client is who they say they are and that they should have access. Of course, you don't want to keep the secret values lying around in plain text: the standard Unix response to all that is to generate a password hash using DES or MD5 to store, and to try and recreate that hash using the password supplied by the user. That's where SASL comes in: instead of having to code up all that stuff your self, SASL is a library of authentication methods that you can just plug into your application. Yes, you will need some sort of user account database -- often implemented using a RDBMS, but could with little extra effort be made to operate against an LDAP or RADIUS server. Or whatever the database type you're already using for your Postfix+Cyrus setup. There are several examples of doing this sort of thing within the ports system -- most are written in PHP, but check out devel/bugzilla and www/rt3 for perl based examples. Cheers, Matthew I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. It looks like there is a SASL implementation in PEAR http://pear.php.net/package/Auth_SASL/docs/1.0.0/li_Auth_SASL.html You might try and start here: http://www.freshports.org/security/pear-Auth_SASL/ hth, Jeff ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Advice: The Right authentication method
I'm working on writing the Control Panel scripts which subscribers to our ISP will use to set up their eMail accounts and web space. Here's the Server spec: FreeBSD-Current; Perl 5.6.1, no problem installing any needed modules; Apache 2; I'm keeping ordinary customers off the machine, so I run Postfix and Cyus and use sasl2 for customer passwords. I'd like to use these ID to arrange access to the control panel system. I'm stuck at the very start of my design process. I have two tasks to do: Verify that users have supplied the correct password; and let the perl scripts know who that visitor is, so that we can select the correct accounts to show. Do I use SASL directly? or LDAP? or do I implement an Apache module to handle access and let Apache do the work? I want to do The right thing - that is, the most general and correct thing possible, I've got years of experience in perl scripting, but at the moment I wandering around in a twisty litte maze of standards, all different. Clue, please? Thanks in advance for any advice. --- Andy Holyer, Systems Administrator Hedgehog Broadband, 11 Marlborough Place Brighton BN1 1UB 08451 260895 x 241 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Advice: The Right authentication method
On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: I'm working on writing the Control Panel scripts which subscribers to our ISP will use to set up their eMail accounts and web space. Here's the Server spec: FreeBSD-Current; Perl 5.6.1, no problem installing any needed modules; Apache 2; I'm keeping ordinary customers off the machine, so I run Postfix and Cyus and use sasl2 for customer passwords. I'd like to use these ID to arrange access to the control panel system. I'm stuck at the very start of my design process. I have two tasks to do: Verify that users have supplied the correct password; and let the perl scripts know who that visitor is, so that we can select the correct accounts to show. Do I use SASL directly? or LDAP? or do I implement an Apache module to handle access and let Apache do the work? I want to do The right thing - that is, the most general and correct thing possible, I've got years of experience in perl scripting, but at the moment I wandering around in a twisty litte maze of standards, all different. Clue, please? You're basically writing a web application. For which you need access control. You've got two choices: either use the HTTP basic or HTTP digest auth mechanisms built into HTTP, and supported by Apache, or (and this is by far the most popular choice) write your own authentication mechanism as part of your application[1]. The second choice gives you a lot more flexibility about how you customise things and how you make the login screen look, which is probably why it's more popular. You can also arrange things to avoid sending passwords across the net in cleartext if you're cunning enough. However you do it, the authentication process is essentially that the client sends you two pieces of information: their username (ie. who they claim to be) and some form of secret. The secret is usually a password, but it can be something more complicated like an Opie one-time password or whatever. Then in your application you compare the secret to your stored version of it, and if they match you believe that the client is who they say they are and that they should have access. Of course, you don't want to keep the secret values lying around in plain text: the standard Unix response to all that is to generate a password hash using DES or MD5 to store, and to try and recreate that hash using the password supplied by the user. That's where SASL comes in: instead of having to code up all that stuff your self, SASL is a library of authentication methods that you can just plug into your application. Yes, you will need some sort of user account database -- often implemented using a RDBMS, but could with little extra effort be made to operate against an LDAP or RADIUS server. Or whatever the database type you're already using for your Postfix+Cyrus setup. There are several examples of doing this sort of thing within the ports system -- most are written in PHP, but check out devel/bugzilla and www/rt3 for perl based examples. Cheers, Matthew [1] Actually, if you were using mod_perl you could write your own authentication and authorization handlers that would get called by apache during the normal page serving transaction, effectively giving you the best of both worlds. But that requires you to be an expert mod_perl programmer and to have a lot of experience at writing web applications. Save that sort of thing for version 2.0... -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpvT7vpriGps.pgp Description: PGP signature
