Authentication based on return value of external program?

Nick Owen nowen at wikidsystems.com
Sat Jan 28 14:06:16 UTC 2006


Steffen Weber wrote:
> Nick Owen wrote:
>> I'm not 100% sure I understand your question, but this is essentially
>> what we do with our strong authentication system. [...]
> I think WiKID is not what I´m looking for, I´ll try to explain again
> with more details. The situation is as follows: A website with a
> download archive that offers files on an FTP server. We cannot afford
> that other sites link directly to files on our FTP server, so we have to
> use some kind of authentication. Therefore, when a visitor wants to
> download a file a password is generated, stored in a MySQL database and
> sent to the visitor´s browser as part of a link to our FTP server. The
> FTP server (vsftpd) authenticates the user by using pam_mysql to look up
> the password from the database.
> 
> The problem is that in order for the client to be able to reconnect
> after a connection problem has occured we have to leave the password
> "active" for at least a few hours (i.e. cannot delete it immediately
> after the first login, although we want it to be a one-time password).
> Unfortunately as a consequence this means that people can pass around
> the direct URL to our FTP server including the password (whoch will last
> for quiet a few hours) and hotlink to files on our server and generate
> lots of traffic.
> 
> What we need is basically the ability to check for example the first 24
> bits of the client´s IP address in order to make hotlinking to files on
> our server less attractive.
> 
> As pam_mysql does not have that feature and I don´t know C, I thought
> that I could implement this functionality for example in a PHP script
> that would be launched by a PAM module when a user tries to login to our
> FTP server and then allow or deny access based on the script´s return
> value.
> 
>> What do you mean by 'not such a great idea'? [...]
> I wanted to say that in general it is probably not good for PAM to rely
> upon the execution of an external program for authentication.
> 
> I hope this explains the situation a bit better. :-)

I see.  What if access to the ftp server is only available via a dynamic
URL that lasts for only a couple of hours?

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
Now open source: http://sourceforge.net/projects/wikid-twofactor/




More information about the Pam-list mailing list