[4511] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Jeremey Barrett)
Wed Feb 19 20:20:20 1997
Date: Wed, 19 Feb 1997 14:41:36 -0800 (PST)
To: jim@telecnnct.com
CC: daver@idiom.com, www-security@ns2.rutgers.edu
In-reply-to: <330B7B36.6E9DAAD9@telecnnct.com> (message from Jim Harmon on Wed, 19 Feb 1997 17:14:14 -0500)
Cc: jeremey@veriweb.com
From: Jeremey Barrett <jeremey@veriweb.com>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
> > Finding out the user's login on _his_ system requires an ident query,
> > sent by the web server to the identd daemon on the user's machine.
> > This is sent to a CGI in $REMOTE_IDENT, and should _not_ be used
> > as the basis for authentication, as 1) it is trivially faked, and 2)
> > most machines (especially windoze), do not run identd daemons.
>
> Ok, since we're on an Intranet, and this server is not visible to the
> Internet, and because most of the users are on the server itself, I'm
> having trouble seeing where "$REMOTE_anything" will work, even with
> identd running. Am I just being flakey on this issue?
If your server is running identd checks, it will run them even against
the local machine, and will populate REMOTE_IDENT. On a controlled
Intranet, you could use this with identd to provide the real login of
the user, and it should work fine, so long as there is no access to
the identd configuration or executable, and people have little to gain
from spoofing.
>
> > As far as "Real Name", you might want to investiate using X.509
> > certificates as your authentication mechanism, which will allow
> > you to put some reasonable information in the certificate.
> > XCert (www.xcert.com) is doing this stuff, as are others.
>
> Is it really necessary inside a closed system to use certs?
>
> I know this is rather petty of an issue, but I have users who are very
> set in how they work. The additional login to access our web server
> would not sit well with most of them, but I can see benefits with that
> in place. Primarily that we're starting to think about letting some
> power users and administrative staff do take-home work.
Certificates have the advantage that once they are installed, you can
sort-of forget them, except you will have to enter your "netscape password"
when you start your browser. But for your application, I'd run identd
and use that, again provided this is a private net and there is nothing
to gain by spoofing.
- --
=-----------------------------------------------------------------------=
Jeremey Barrett VeriWeb Internet Corp.
Crypto, Ecash, Commerce Systems http://www.veriweb.com/
PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBMwuBhi/fy+vkqMxNAQHMQwQAlK7zsUOowvsER90CQ/rc2btAkOJnnVP+
KrzgG7l+sZk1ReE/vZ0zbGmF2dmKSw78iIonv9EKt17K/b/9ESqgHq26j36ihvZE
HuFBF6YU7gt/hxscQNEA7aMmG43tEMWKG9OHg1Cpm3Rz47VEEWBz1CjeWcrt73YI
l3jKVOR0LqM=
=Z1Bf
-----END PGP SIGNATURE-----
