Re: Authentication based on return value of external program?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Nick Owen wrote:

I'm not 100% sure I understand your question, but this is essentially
what we do with our strong authentication system. [...]
I think WiKID is not what I´m looking for, I´ll try to explain again with more details. The situation is as follows: A website with a download archive that offers files on an FTP server. We cannot afford that other sites link directly to files on our FTP server, so we have to use some kind of authentication. Therefore, when a visitor wants to download a file a password is generated, stored in a MySQL database and sent to the visitor´s browser as part of a link to our FTP server. The FTP server (vsftpd) authenticates the user by using pam_mysql to look up the password from the database.
The problem is that in order for the client to be able to reconnect after a connection problem has occured we have to leave the password "active" for at least a few hours (i.e. cannot delete it immediately after the first login, although we want it to be a one-time password). Unfortunately as a consequence this means that people can pass around the direct URL to our FTP server including the password (whoch will last for quiet a few hours) and hotlink to files on our server and generate lots of traffic.
What we need is basically the ability to check for example the first 24 bits of the client´s IP address in order to make hotlinking to files on our server less attractive.
As pam_mysql does not have that feature and I don´t know C, I thought that I could implement this functionality for example in a PHP script that would be launched by a PAM module when a user tries to login to our FTP server and then allow or deny access based on the script´s return value. 


What do you mean by 'not such a great idea'? [...]
I wanted to say that in general it is probably not good for PAM to rely upon the execution of an external program for authentication. 

I hope this explains the situation a bit better. :-)

Steffen

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux