Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Linux/Windows Authentication?
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 27 Feb 2004 14:50:30 -0600

"MARTIN M. BĂ©noni" wrote on Thursday, February 26, 2004 9:40 AM:



Hi list!

I am looking forward to know if there is a way to meet this following
requirement:

We are setting up an Intranet. On it, each department will be allowed to =
access a part of the server, for example HR Department will be allowed =
to
access just http://intranet/HR, Financial Department will just be =
allowed
to access to http://intranet/Finance, and so on. As they are = no-IT
people,
we would be looking for a transparent way to authenticate = them and to
block someone from one department to access a file from = another
department. User/password may be tough to set up as they will = have to
remember them and we will have to check if they are not using = weak
passwords. A PKI/Kerberos/... -based solution would be long to set = up as
well. I was thinking about some key-based authentication, as it = can
usually be done with ssh. But looking around the Internet for some =
information, no way to find out some clues... Moreover, all the clients =
will be Windows 2000/XP, and our Intranet runs under Linux (Redhat 9.0). =
Some ideas? :-)

Authentication based on IP addressees would be the easiest solution I =
have
been thinking about, but remains to know if I can tell my Linux box = to
allow a given bunch of IP addresses to access just a given = directory...


You can do this using .htaccess
(http://httpd.apache.org/docs-2.1/howto/htaccess.html) files under apache.
Just place the file in each of the department directories and make sure the
file mentions subdirectories as well. That will do the authentication based
on IP Addresses. However, there is a major flaw in this type of restriction.
If someone from HR (for example) goes to the sales floor and tries to access
his/her documents in the HR directory, she/he will get the access denied
message and could lead to major frustrations. Of course this depends on the
political climate in the company.

Also, if .htaccess files are not chosen as the solution, you can always use
the following code in a php script to tell what ip address someone is coming
from and either kick them to an access denied message (send header with a
403 error - Your request was denied as you have no permission to access the
data.)

----------- PHP Code ----------
// Read the RC based on the IP Address of the machine accessing this
application
list ($IP_Octet1, $IP_Octet2, $IP_Octet3, $IP_Octet4) =  explode (".",
$REMOTE_ADDR);

$IP_Octet1, $IP_Octet2, $IP_Octet3, and $IP_Octet4 will contain the 4 octets
of the address and you can use

if ($IP_Octet1 != "xxx") {
// Octet didn't match - deny access

}

----------- End Code fragment --------------








---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]