Penetration Testing mailing list archives
Re: Linux/Windows Authentication?
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 27 Feb 2004 14:50:30 -0600
"MARTIN M. BĂ©noni" wrote on Thursday, February 26, 2004 9:40 AM:
Hi list! I am looking forward to know if there is a way to meet this following requirement: We are setting up an Intranet. On it, each department will be allowed to = access a part of the server, for example HR Department will be allowed =
to
access just http://intranet/HR, Financial Department will just be =
allowed
to access to http://intranet/Finance, and so on. As they are = no-IT
people,
we would be looking for a transparent way to authenticate = them and to block someone from one department to access a file from = another department. User/password may be tough to set up as they will = have to remember them and we will have to check if they are not using = weak passwords. A PKI/Kerberos/... -based solution would be long to set = up as well. I was thinking about some key-based authentication, as it = can usually be done with ssh. But looking around the Internet for some = information, no way to find out some clues... Moreover, all the clients = will be Windows 2000/XP, and our Intranet runs under Linux (Redhat 9.0). = Some ideas? :-) Authentication based on IP addressees would be the easiest solution I =
have
been thinking about, but remains to know if I can tell my Linux box = to allow a given bunch of IP addresses to access just a given = directory...
You can do this using .htaccess (http://httpd.apache.org/docs-2.1/howto/htaccess.html) files under apache. Just place the file in each of the department directories and make sure the file mentions subdirectories as well. That will do the authentication based on IP Addresses. However, there is a major flaw in this type of restriction. If someone from HR (for example) goes to the sales floor and tries to access his/her documents in the HR directory, she/he will get the access denied message and could lead to major frustrations. Of course this depends on the political climate in the company. Also, if .htaccess files are not chosen as the solution, you can always use the following code in a php script to tell what ip address someone is coming from and either kick them to an access denied message (send header with a 403 error - Your request was denied as you have no permission to access the data.) ----------- PHP Code ---------- // Read the RC based on the IP Address of the machine accessing this application list ($IP_Octet1, $IP_Octet2, $IP_Octet3, $IP_Octet4) = explode (".", $REMOTE_ADDR); $IP_Octet1, $IP_Octet2, $IP_Octet3, and $IP_Octet4 will contain the 4 octets of the address and you can use if ($IP_Octet1 != "xxx") { // Octet didn't match - deny access } ----------- End Code fragment -------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Linux/Windows Authentication? MARTIN M. Bénoni (Feb 27)
- Re: Linux/Windows Authentication? dr john halewood (Feb 27)
- Re: Linux/Windows Authentication? ivan.hernandez (Feb 27)
- Re: Linux/Windows Authentication? Phil Wallisch (Feb 27)
- Re: Linux/Windows Authentication? Eric Paynter (Feb 28)
- Re: Linux/Windows Authentication? Clint Bodungen (Feb 28)