[Libwebsockets] PAM authentication for http sessions

Necktwi Ozfguah necktwi at ferryfair.com
Tue Sep 4 08:58:46 CEST 2018



> On 04-Sep-2018, at 11:56 AM, Necktwi Ozfguah <necktwi at ferryfair.com> wrote:
> 
>> 
>> On 04-Sep-2018, at 11:11 AM, Andy Green <andy at warmcat.com <mailto:andy at warmcat.com>> wrote:
>> 
>> 
>> 
>> On 09/04/2018 01:25 PM, Necktwi Ozfguah wrote:
>>>> On 04-Sep-2018, at 9:19 AM, Necktwi Ozfguah <necktwi at ferryfair.com <mailto:necktwi at ferryfair.com> 
>> 
>>>>    AFAIK I don't have any use for PAM + lws.
>>>> 
>>>>    What would you actually use it for?
>> 
>>> I am running a hobby web server. I want my web users to use the linux login credentials. Of course lws and PAM are independent. Thank you.
>> 
>> It's probably not a good idea to do that... unless perhaps they're logging into a server that is running on the same box, like cups does it.
>> 
> Sorry, I meant the other way, I want my system users to login to the web portal using their linux credentials. Are you referring cups to https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42ofGMeomOuIICdCgu-2FfPpf4-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FSdSCaTcy7mQpJ8XMLjRhVeFWg5U9idTFILlI4CdkarXN5mTIxQrRuK-2FfeMdQ2XKOwhK2pPWKREs88ETtaFzdEct2rGM79ZrGbvSbNjw0cOTOJGjNoNwg6BVJHo-2Fi5NMHtCT-2FaBRZ32qWDPp5lZ0rkdA-3D <https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42u7cPGghXCdGGd9Sj25ftZFcHDVj2YDVyT9b6LUfX5fnuKUjlwv25oT2-2F64zCCBCjdxVdWQNzZ84k9TShp2kiJC5ZJ-2FdpbxREEryFviUBUNQ2bUNKGg11F5RrooJAyp9h-2BSjaP9FrvZzUAHQAkUivIKR-2BamBFA223Z1DtJKyH6i6Rxqj0XSbJWX2pMCOMmDUJCByLT6K9wP6n-2B9Z0vRpURAZ92Mhl8nE2JmgmzQEhc9EDRBrM6HbiCHamXkHlCqfdShDlLC8ZxYhEYbWrAsQlhuTKJ-2BWWZJvvySOLn8R-2BX-2FRsDiO3MtvPhQVmGvcHxxRchq9zSCH12RSPm73UNMSzgrLUHLlkOs-2FBuTcdbam9RUxlaC9s9Mp6LFvCClHzg9JdiD0pNCa0mSviTffNwrnVQWIRqSAsy-2Bn-2F-2BNr926f15uRxAWaLxltsKlD4oYsqXns3We4vWrH2e-2B1pRRCKCDfQs4-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FSTkhLZk5kiahgOjirt9nkUk-2BaLemqu6vmJhxf2qCcNkc-2F2Gd0uVm8KDWYm6Z-2Fo-2BbpPwYRrHQN7lUlFIAR-2BwKS5TQQOlTSNISdoDFhmcB9H-2Fx1jdSHd1wMixDudkW2YmRTT0uC2ZODAMxSAlo-2FvVlmVA-3D> ? I have no experience with it.
To avoid password phishing I am planning to add an intermediate hash layer to the default login.
   Password->DefaultLogin->Hash1->Hash2->authorise.
   Password->Hash1->WebLogin->Hash2->authorise.
Will this make you fearless?
>> If you're running TLS / SSL, then Basic Auth is pretty easy to use.
>> 
>> You maintain a text file in a dir that isn't served anywhere over http. It contains credentials one per line in the format
>> 
>> name:password
>> 
>> Then you just point .basic_auth_login_file on the the mount you want to be protected to the filepath on the server with the credentials
>> 
>> See the related minimal example
>> 
>> https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42jtl-2BHS72n8W8-2BdZEc27PklOQ6y9BK7rpJ3-2FA3UXdw1WZXnuD8x57HOwXs6SAu9koKpZVWOVbBqFfTTxfUC74mCxzENasUhQwt1U8Nw5d-2BXMDdBHtpzfC7ywvvprkI1MQtfcR2Vb7T5USu9XWtsZoSA-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FScfv1xjn-2B-2BwsNjRaFarOSbZS3Y9LvSlulQi2BiY9WyHcjLmRFxIVQ2Dkbs7jFby4dgpjQP1ndcTeCYs51y1UvhPny5ZBl-2B6cHsOjDdyMbj-2BWyoQ6J7k2OzAULrq0urtoo2goNE3wcr5MI5RuHTdvJJc-3D <https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42u7cPGghXCdGGd9Sj25ftZFcHDVj2YDVyT9b6LUfX5fnuKUjlwv25oT2-2F64zCCBCjSfHC9-2FSlUnqZwozeI25o-2FkjidU18XREyIuuNt1yrePg1VmWhLB5z5CWZOQFw-2FGj3CPQdiRsaZSLlhHpN3uZFMGQFYvLeoZzr8H-2BCcR7aoYOrMTsdG5ksXYSNb4j-2BRPQg6wksJVmETqjD-2BTH6v06wpX5snxMKxJjWee3bmVc5yhVSN6kJm18L38PJ4TTPj0wgvUaHNqlhbnevy5RAqj3zE-2B7y3g1SnQRLV0KBitNu3YOOpUsQm7NwjESZgXh35O-2Fg1p9lpg1CgZZDC8ugiubzORrwoBOr0PlNtdpof81HI-2BdvPNpqv3leB2kEh2EuMqb0YA-2B88Vc-2B47SHw28-2Bx9YjG4pIJ4Z9VzFSzVeI4Gmv6dKnRE6LoXKTx-2F1kfwywpNfDTvLU2R8zm5DjDqsK2bzOa8IoaGrafP1UtDWJHITnkvFP-2BdlRfgDCf5HE-2FiWWe602XN8YD2eF33fRZ7SWkAmone-2Brz6qfJc-2FsOZuMU6tta98f2rpbJi6MtO97HLdEB4k5cYz6-2B1z0nLpoA0HZePw3ynxUCubmDSiqP7ff6BiWTo9qolPZaRXZ-2Fhi3bnhCQArYw-3D-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FSTxccR0UDIhH5tFc5BPWhtMHaSfN-2BUwbSgCaRgsU2QcXZhf5aUzKmD-2B1KEjlNZ-2BKd6ABAThh4gMcesJ9jx02snG0tZhKTz5vvVcU3nII8dV8NtJcoSAk6T-2BGw-2B1cLyZTp-2BbFMBgR6vTK1-2Bswx1kdK70-3D>
>> 
>> However you really shouldn't put the PAM credentials in the basic auth file... it's too easy for some user who gets their browser to remember their login for your site to leak a perfectly usable PAM login then...
>> 
>> -Andy
> ... NeckTwi _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org <mailto:Libwebsockets at ml.libwebsockets.org>
> https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42jtl-2BHS72n8W8-2BdZEc27Pkm8-2BhcIKmaR9WoeTGnhmq-2Br9kYDs4T-2FMrzobihEBMVcsg-3D-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FSU-2FZgeE9wGa5HS4WWJXh5sitCksAw7xOOqXvACyWi87NH-2BNxSPUkZR0Vjy2zTzrm9idAWug9fkmYMtCtnKA98OGkItiI32-2Fa1ew4ZbQOkre8WN18Acb0kQXx9uMD8IQFIp8S-2FEJ5TjYsMLA4ZBrN3BQ-3D <https://u7535577.ct.sendgrid.net/wf/click?upn=S8VPHvg5-2FzxqlLfWXPq42jtl-2BHS72n8W8-2BdZEc27Pkm8-2BhcIKmaR9WoeTGnhmq-2Br9kYDs4T-2FMrzobihEBMVcsg-3D-3D_MVqETTsl5w9JZmVH1Sq2QE8KivBbCxWEMAI66w938-2FwvrqQiWAHgQB1aY46IxLBqVbsv3YOf1xGgzrS3BvS-2FSSLAA5jz-2FRJYv9OQ2BAJsjkBXvSvtoc2HJy1t6AGpVYS9z5IM7-2BAUzWTlF-2FckjnbGN8UqdOIT7l5eHXpZrY9gxz5-2FbRezTAkIUY-2Bc-2Fzbp-2FyhocxvBKoI16wdr6e-2B0k0RONbjf-2BNo42G7m5j6bu2Bf80-3D>
... NeckTwi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20180904/ed5e10c1/attachment-0002.html>


More information about the Libwebsockets mailing list