#1  
Old 9th December 2011, 20:16
nveid nveid is offline
Member
 
Join Date: Jan 2006
Location: Daytona Beach, FL
Posts: 87
Thanks: 7
Thanked 17 Times in 14 Posts
Send a message via Yahoo to nveid Send a message via Skype™ to nveid
Default AutoAuth module

I'd like to propose an AutoAuth module.. I can probably do this one up in 30 minutes, but figure I should propose it here first before I implement it..

Basically I'm thinking 3 way method..

1. Upon Initiation of request. a Unique Hex Key is inserted into an ISPConfig Table. (this protects against someone that of cracked step 2, but not the db password). Login is given to pure-ftpd or phpmyadmin as ISPCONFIG-HEXKEY, to denotate it as an ISPCONFIG auto auth login.

2. Use 128bit Blowfish cipher(or whatever.. whats the max allowed for legality on non-american servers?) for the secret password key.. Decrypt Would be along the lines of ISPCONFIG-user-(login specific detail). The login specific details for phpmyadmin would be database, or something else along those lines. For ftp, would be uid-gid-directorylocation-any-other-specific-user-data..

3. Upon Arrival at destination auth module. The following things will happen.
a) Remote API call, or call the ispconfig db via mysql... Remote API I'm thinking would be better way to authenticate this method. The Remote API call, would be something along the lines of..
api->service_auth("ftp" or "phpmyadmin",hex key). it will give it authorization for that hex key. Keys should also expire within a 5 second window.
b) The Destionation server will have the same BlowFish salt to decrypt the password to determine extra login details.
-----
For phpmyadmin, webftp/ajaxexplorer/whateverelsefilemanager, this info would be stored in cookies to pass through. We could make this even MORE secure however if we could run phpmyadmin and the webftp/whatever web file manager on the same ISPConfig server. Then we could just pass all this info in the $_SESSION to the other remote apps. Thus, no one would ever see the blowfish methods to attempt a dictionary attack against the auth modules. Even though someone would never be able to crack the HexKey, if they cracked the mysql server then they could put the hex key in manually, then they would have to dictionary attack the blowfish salt.

I've looked into the cration of all these auth modules. Pure-ftpd auth module API is fairly simple, and phpmyadmin auth module is fairly simple.

Alright, floor is now open to criticism to the proposed feasibility and security of my methods.
__________________
-- RLB

Last edited by nveid; 9th December 2011 at 21:09.
Reply With Quote
Sponsored Links
  #2  
Old 15th December 2011, 09:44
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,011
Thanks: 826
Thanked 5,378 Times in 4,225 Posts
 
Default

From my side the above system is ok. You could add the hex key field e.g. to the session table and this feature should be configurable somewhere so that it can be disabled.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freeradius and Mysql uvstudios HOWTO-Related Questions 4 19th February 2014 12:11
Proftpd + MySQL virtual users, can't connect geekman HOWTO-Related Questions 28 27th September 2010 18:03
FreeRadius + MySQL working, but I don't know how to customise SQL queries awe Installation/Configuration 4 4th April 2010 23:28
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 17:26
Webmin docs missing namit Server Operation 11 5th January 2006 09:51


All times are GMT +2. The time now is 12:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.