Home page logo
/

basics logo Security Basics mailing list archives

Re: Authentication question & problem
From: Tremaine Lea <tremaine () gmail com>
Date: Tue, 22 Apr 2008 13:30:32 -0600

It may be relatively straightforward, if approached differently.

Create a vpn tunnel between site B and site C. Allow users from site B to access the application on site C. Allow users to remote in to site B with credentials.

There should be no need for site C to be involved in your ldap credentials. The fact they are authenticated on a domain that site C has chosen to trust should be sufficient. If it's not sufficient, they should be providing their own authentication mechanism.

It's a bit difficult to provide specific suggestions without more information, but the above solution is definitely workable.

---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"



On 22-Apr-08, at 10:41 AM, evilwon12 () yahoo com wrote:
Here is what my developers are wanting to do, and I cannot think of a secure way to do this.

Have a user (at home) authenticate against our LDAP through a company portal/site and have that authentication information passed to an external vendor, allowing the user at home to utilize the application from home after being authenticated.

So, it's user at site A, authenticating with site B, and the user at site A using the application (after authentiation) at site C.

Sorry for being long winded, but everything there screams MITM to me. I am probably missing something easy.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault