Advice: "The Right" authentication method
jlh at cox.net
Fri Sep 24 20:13:16 PDT 2004
Al Johnson wrote:
> On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote:
>>On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote:
>>>I'm working on writing the "Control Panel" scripts which subscribers to
>>>our ISP will use to set up their eMail accounts and web space.
>>>Here's the Server spec:
>>>Perl 5.6.1, no problem installing any needed modules;
>>>I'm keeping ordinary customers off the machine, so I run Postfix and
>>>Cyus and use sasl2 for customer passwords. I'd like to use these ID to
>>>arrange access to the control panel system.
>>>I'm stuck at the very start of my design process. I have two tasks to
>>>Verify that users have supplied the correct password; and let the perl
>>>scripts know who that visitor is, so that we can select the correct
>>>accounts to show.
>>>Do I use SASL directly? or LDAP? or do I implement an Apache module to
>>>handle access and let Apache do the work?
>>>I want to do "The right thing" - that is, the most general and correct
>>>thing possible, I've got years of experience in perl scripting, but at
>>>the moment I wandering around in a twisty litte maze of standards, all
>>You're basically writing a web application. For which you need access
>>control. You've got two choices: either use the HTTP basic or HTTP
>>digest auth mechanisms built into HTTP, and supported by Apache, or
>>(and this is by far the most popular choice) write your own
>>authentication mechanism as part of your application.
>>The second choice gives you a lot more flexibility about how you
>>customise things and how you make the login screen look, which is
>>probably why it's more popular. You can also arrange things to avoid
>>sending passwords across the net in cleartext if you're cunning
>>However you do it, the authentication process is essentially that the
>>client sends you two pieces of information: their username (ie. who
>>they claim to be) and some form of secret. The secret is usually a
>>password, but it can be something more complicated like an Opie
>>one-time password or whatever. Then in your application you compare
>>the secret to your stored version of it, and if they match you believe
>>that the client is who they say they are and that they should have
>>access. Of course, you don't want to keep the secret values lying
>>around in plain text: the standard Unix response to all that is to
>>generate a password hash using DES or MD5 to store, and to try and
>>recreate that hash using the password supplied by the user.
>>That's where SASL comes in: instead of having to code up all that
>>stuff your self, SASL is a library of authentication methods that you
>>can just plug into your application.
>>Yes, you will need some sort of user account database -- often
>>implemented using a RDBMS, but could with little extra effort be made
>>to operate against an LDAP or RADIUS server. Or whatever the database
>>type you're already using for your Postfix+Cyrus setup.
>>There are several examples of doing this sort of thing within the
>>ports system -- most are written in PHP, but check out devel/bugzilla
>>and www/rt3 for perl based examples.
> I'd be grateful if someone would point out some examples of SASL
> authentication using PHP in the ports.
> I've searched through the ports, but had no luck finding any.
It looks like there is a SASL implementation in PEAR
You might try and start here:
More information about the freebsd-questions