Website login authentication - expert advice needed
 

Hello,

I am currently developing a webpage to login remotely so that I can configure applications on a linux platform. Web development is new to me.....so I have been searching the net to get the best solution. Currently I am heading towards "digest authentication" for my first stab at this.

Currently I have a debain running the lighttpd web server. I do NOT want to use a database to store username/password. I am using php as my server script and js as my client script. The equipement that is required to be logged onto will be limited to a handful of users.

Essentailly I just want to know if I am on the right track or if I should be looking at something else. If it is "something else" please kick me in the right direction.


Thank you.

If you don't want to use a database of some sort to store users, what are you planning to use? If the number is extremely tiny, I suppose you could hard code it in the PHP itself. The down side is that any hardcoded passwords would be accessible if they are stored in the javascript (and possibly even in the PHP, depending on server misconfigs).

Depending on what you're providing access to, there may be an existing web utility you could use.

MByBee

My understanding with digest authentication is that you can use htdigest utility provided to create a file of users and and hashed passwords. This is stored in a file that is configured in the lighttpd web server. Digest authentication only transfers a hashed value over the network and the authentication is established by issueign a challenge and validating the challenge response.

meaning you want to run webserver under root? don't.
btw if you want "digest" authentication look into your webserver.
digest HTTP authentication also requires browser that knows how to do that. not all can.

Ok, what if I dont' what to use "digest authentication".
I was doing some reading and it looks like you cannot log off, nor can you make a cutomized login page ( at least this is what the article said).

What would you suggest. What about kerebos?

All I want is to login to the machine via a web page( utilizing my web login page),
set some configurations. It security and eventually licensing.

Well, it sounds like you want some kind of remote admin toolkit for your box that requires the absolute minimum configuration, right?

If I were to do something like this, probably the safest way is with a simple CGI. You can maintain the authentication inside the CGI and not make it world-viewable (just have it direct to the proper page). The page could just call scripts to do the tasks you need done - though I strongly urge you to consider getting something pre-built.

I suspect you want a toolkit like this, though: http://www.linux.com/archive/feature/141943
You may also want to look up other admin consoles, depending on what you do.

If you are wanting to do remote administration, even for a webserver, you should probably get something prebuilt if web development is new to you. You sure don't want someone getting in your box and screwing everything up. Great security is a must on a web server, or any server for that matter. If you are wanting to do remote admin, you may look into webmin. I think that you can use it remotely, but I am not 100% sure. I know you can administer samba, apache, proftp, bind, postfix, sendmail and many others. just a suggestion.

Have you looked at .htaccess & .htpasswd ?

Update.

So first off I have abandoned the idea of digest authetication. First off you cannot get a personalized web login page and secondly the line is not encrypted and exposes some potential critical information.

Therefore I have impelmented ssl on my web server and currently have created a self signed certificate. I am hoping that this is enough for security. ( If not someone can comment !!! )

Because I am working on an embedded system I need to keep installation to a minimum, as my resources are very limited.

Ideally, I would like to shut down ssh ( for security reasons ) and just have a user log in via the web page which will essentially be the only window for a maintanence person into the system. ( well except root will be able to ssh in)

I am still looking for a solution to do a login page without having to install a database, but I have discovered that sqlite has a small footprint and may resort to this method.

Is there no way to have a php on the server side accesss the login info typically required during an ssh sessions? I am going to investigate. This way I would have the users/passwords already setup and would NOT have to create a database to basically shawdow what already exists???

Thanks for everybodies help.

Your own certificate will be sufficient to encrypt the communication. Further you can use a very simple html page with a POST form for login. Once the user submits the credentials, that same page or another page can validate the data against credentials stored in a file; as said, this will work well if the number of users is limited.

For dedicated administration, you can consider to write you own webserver (instead of using a general purpose webserver). Check chapter 11 on http://www.advancedlinuxprogramming.com/alp-folder. But this might be outside the scope of your project.