AutoAuth module

Discussion in 'Developers' Forum' started by nveid, Dec 9, 2011.

  1. nveid

    nveid ISPConfig Developer ISPConfig Developer

    I'd like to propose an AutoAuth module.. I can probably do this one up in 30 minutes, but figure I should propose it here first before I implement it..

    Basically I'm thinking 3 way method..

    1. Upon Initiation of request. a Unique Hex Key is inserted into an ISPConfig Table. (this protects against someone that of cracked step 2, but not the db password). Login is given to pure-ftpd or phpmyadmin as ISPCONFIG-HEXKEY, to denotate it as an ISPCONFIG auto auth login.

    2. Use 128bit Blowfish cipher(or whatever.. whats the max allowed for legality on non-american servers?) for the secret password key.. Decrypt Would be along the lines of ISPCONFIG-user-(login specific detail). The login specific details for phpmyadmin would be database, or something else along those lines. For ftp, would be uid-gid-directorylocation-any-other-specific-user-data..

    3. Upon Arrival at destination auth module. The following things will happen.
    a) Remote API call, or call the ispconfig db via mysql... Remote API I'm thinking would be better way to authenticate this method. The Remote API call, would be something along the lines of..
    api->service_auth("ftp" or "phpmyadmin",hex key). it will give it authorization for that hex key. Keys should also expire within a 5 second window.
    b) The Destionation server will have the same BlowFish salt to decrypt the password to determine extra login details.
    For phpmyadmin, webftp/ajaxexplorer/whateverelsefilemanager, this info would be stored in cookies to pass through. We could make this even MORE secure however if we could run phpmyadmin and the webftp/whatever web file manager on the same ISPConfig server. Then we could just pass all this info in the $_SESSION to the other remote apps. Thus, no one would ever see the blowfish methods to attempt a dictionary attack against the auth modules. Even though someone would never be able to crack the HexKey, if they cracked the mysql server then they could put the hex key in manually, then they would have to dictionary attack the blowfish salt.

    I've looked into the cration of all these auth modules. Pure-ftpd auth module API is fairly simple, and phpmyadmin auth module is fairly simple.

    Alright, floor is now open to criticism to the proposed feasibility and security of my methods.
    Last edited: Dec 9, 2011
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    From my side the above system is ok. You could add the hex key field e.g. to the session table and this feature should be configurable somewhere so that it can be disabled.

Share This Page