>From: Sergey Lyubka [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, August 19, 2008 6:23 PM
>To: David Lethe
>Cc: [email protected]
>Subject: Re: [shttpd-general] How to structure HTML to automate SSL
>authentication remote agent with daemon script
>check_password() function from auth.c has couple of things disabled:
>1. it does not check that URI in auth header equals to actual URI
>2. it basically ignores cnonce set by the server
>These two checks were enabled at some point, and then disabled :-)
>This makes shttpd authentication vulnerable, for example, to replay attacks,
>if non-SSL connections are used. For >stronger authentication, I would do this:
>1. keep passwords file "as is". SHTTPD knows HA1 = MD5(user:domain:pass)
>2. daemon knows the password. it can calculate HA1 = MD5(user:domain:pass)
>3. daemon calculates X = MD5(HA1:ip:port:MD5(payload)) and sets the
>user:domain:value in some header
>4. shttpd calculates the same (get HA1 from the pass file), and compares the
>calculated value.
>This does a transaction in a single roundtrip.
>Of course, SSL. Desirable, ACL. But, daemon must have a clear text password
>somehow, I don't know how it'll keep it. >With browsers, humans keep passwords
>in their memory and type them in a prompt, daemon must do the same?
I plan on making SSL the only mechanism that will be allowed, and the daemon
will have a local database that includes a subset of the same password file
that shttpd uses ...
Why is check_password() crippled? Are there corner cases where it breaks, or
certain browsers that have problems?
Below from the wiki I cited earlier in the thread, with minor thread-centric
changes, the wiki explains what goes in all of these fields.
GET cgiform.html HTTP/1.0
Host: localhost
(followed by a new line, in the form of a carriage return followed by a line
feed).
(shttpd) Server response: (slightly modified for compatibility)
HTTP/1.1 401 Unauthorised
Server:shttpd
Date: Sun, 10 Apr 2005 20:26:47 GMT
WWW-Authenticate: Digest realm="[EMAIL PROTECTED]",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd";>
<HTML>
<HEAD>
<TITLE>Error</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
</HEAD>
<BODY><H1>401 Unauthorised.</H1></BODY>
</HTML>
Client request (user name "Mufasa", password "Circle Of Life"):
GET cgiform.html HTTP/1.0
Host: localhost
Authorization: Digest username="Mufasa",
realm="[EMAIL PROTECTED]",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
(followed by a blank line, as before).
Server response:
HTTP/1.1 200 OK
Server: shttpdxxx
Date: Sun, 10 Apr 2005 20:27:03 GMT
Content-Type: text/html
Content-Length: 7984
(the cgiform.html now supplied to daemon, which fills it and generates a post,
and shttpd cgi logic does what it needs to.
========
So is that basically it?
Thanks,
David
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
