Steffen Weber wrote: > Nick Owen wrote: >> I'm not 100% sure I understand your question, but this is essentially >> what we do with our strong authentication system. [...] > I think WiKID is not what I´m looking for, I´ll try to explain again > with more details. The situation is as follows: A website with a > download archive that offers files on an FTP server. We cannot afford > that other sites link directly to files on our FTP server, so we have to > use some kind of authentication. Therefore, when a visitor wants to > download a file a password is generated, stored in a MySQL database and > sent to the visitor´s browser as part of a link to our FTP server. The > FTP server (vsftpd) authenticates the user by using pam_mysql to look up > the password from the database. > > The problem is that in order for the client to be able to reconnect > after a connection problem has occured we have to leave the password > "active" for at least a few hours (i.e. cannot delete it immediately > after the first login, although we want it to be a one-time password). > Unfortunately as a consequence this means that people can pass around > the direct URL to our FTP server including the password (whoch will last > for quiet a few hours) and hotlink to files on our server and generate > lots of traffic. > > What we need is basically the ability to check for example the first 24 > bits of the client´s IP address in order to make hotlinking to files on > our server less attractive. > > As pam_mysql does not have that feature and I don´t know C, I thought > that I could implement this functionality for example in a PHP script > that would be launched by a PAM module when a user tries to login to our > FTP server and then allow or deny access based on the script´s return > value. > >> What do you mean by 'not such a great idea'? [...] > I wanted to say that in general it is probably not good for PAM to rely > upon the execution of an external program for authentication. > > I hope this explains the situation a bit better. :-) I see. What if access to the ftp server is only available via a dynamic URL that lasts for only a couple of hours? -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
