Authentication based on return value of external program?
Steffen Weber
email at steffenweber.net
Sat Jan 28 13:45:50 UTC 2006
Nick Owen wrote:
> I'm not 100% sure I understand your question, but this is essentially
> what we do with our strong authentication system. [...]
I think WiKID is not what I´m looking for, I´ll try to explain again
with more details. The situation is as follows: A website with a
download archive that offers files on an FTP server. We cannot afford
that other sites link directly to files on our FTP server, so we have to
use some kind of authentication. Therefore, when a visitor wants to
download a file a password is generated, stored in a MySQL database and
sent to the visitor´s browser as part of a link to our FTP server. The
FTP server (vsftpd) authenticates the user by using pam_mysql to look up
the password from the database.
The problem is that in order for the client to be able to reconnect
after a connection problem has occured we have to leave the password
"active" for at least a few hours (i.e. cannot delete it immediately
after the first login, although we want it to be a one-time password).
Unfortunately as a consequence this means that people can pass around
the direct URL to our FTP server including the password (whoch will last
for quiet a few hours) and hotlink to files on our server and generate
lots of traffic.
What we need is basically the ability to check for example the first 24
bits of the client´s IP address in order to make hotlinking to files on
our server less attractive.
As pam_mysql does not have that feature and I don´t know C, I thought
that I could implement this functionality for example in a PHP script
that would be launched by a PAM module when a user tries to login to our
FTP server and then allow or deny access based on the script´s return value.
> What do you mean by 'not such a great idea'? [...]
I wanted to say that in general it is probably not good for PAM to rely
upon the execution of an external program for authentication.
I hope this explains the situation a bit better. :-)
Steffen
More information about the Pam-list
mailing list