Website login authentication - expert advice needed
Hello,
I am currently developing a webpage to login remotely so that I can configure applications on a linux platform. Web development is new to me.....so I have been searching the net to get the best solution. Currently I am heading towards "digest authentication" for my first stab at this. Currently I have a debain running the lighttpd web server. I do NOT want to use a database to store username/password. I am using php as my server script and js as my client script. The equipement that is required to be logged onto will be limited to a handful of users. Essentailly I just want to know if I am on the right track or if I should be looking at something else. If it is "something else" please kick me in the right direction. Thank you. |
Quote:
Depending on what you're providing access to, there may be an existing web utility you could use. |
MByBee
My understanding with digest authentication is that you can use htdigest utility provided to create a file of users and and hashed passwords. This is stored in a file that is configured in the lighttpd web server. Digest authentication only transfers a hashed value over the network and the authentication is established by issueign a challenge and validating the challenge response. |
Quote:
btw if you want "digest" authentication look into your webserver. digest HTTP authentication also requires browser that knows how to do that. not all can. |
Ok, what if I dont' what to use "digest authentication".
I was doing some reading and it looks like you cannot log off, nor can you make a cutomized login page ( at least this is what the article said). What would you suggest. What about kerebos? All I want is to login to the machine via a web page( utilizing my web login page), set some configurations. It security and eventually licensing. |
Well, it sounds like you want some kind of remote admin toolkit for your box that requires the absolute minimum configuration, right?
If I were to do something like this, probably the safest way is with a simple CGI. You can maintain the authentication inside the CGI and not make it world-viewable (just have it direct to the proper page). The page could just call scripts to do the tasks you need done - though I strongly urge you to consider getting something pre-built. I suspect you want a toolkit like this, though: http://www.linux.com/archive/feature/141943 You may also want to look up other admin consoles, depending on what you do. |
If you are wanting to do remote administration, even for a webserver, you should probably get something prebuilt if web development is new to you. You sure don't want someone getting in your box and screwing everything up. Great security is a must on a web server, or any server for that matter. If you are wanting to do remote admin, you may look into webmin. I think that you can use it remotely, but I am not 100% sure. I know you can administer samba, apache, proftp, bind, postfix, sendmail and many others. just a suggestion.
|
Have you looked at .htaccess & .htpasswd ?
|
Update.
So first off I have abandoned the idea of digest authetication. First off you cannot get a personalized web login page and secondly the line is not encrypted and exposes some potential critical information. Therefore I have impelmented ssl on my web server and currently have created a self signed certificate. I am hoping that this is enough for security. ( If not someone can comment !!! ) Because I am working on an embedded system I need to keep installation to a minimum, as my resources are very limited. Ideally, I would like to shut down ssh ( for security reasons ) and just have a user log in via the web page which will essentially be the only window for a maintanence person into the system. ( well except root will be able to ssh in) I am still looking for a solution to do a login page without having to install a database, but I have discovered that sqlite has a small footprint and may resort to this method. Is there no way to have a php on the server side accesss the login info typically required during an ssh sessions? I am going to investigate. This way I would have the users/passwords already setup and would NOT have to create a database to basically shawdow what already exists??? Thanks for everybodies help. |
Your own certificate will be sufficient to encrypt the communication. Further you can use a very simple html page with a POST form for login. Once the user submits the credentials, that same page or another page can validate the data against credentials stored in a file; as said, this will work well if the number of users is limited.
For dedicated administration, you can consider to write you own webserver (instead of using a general purpose webserver). Check chapter 11 on http://www.advancedlinuxprogramming.com/alp-folder. But this might be outside the scope of your project. |
All times are GMT -5. The time now is 07:47 AM. |