Article delegate-en/3052 of [1-4014] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3051@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: how to authenticate admins by other means than identd or ftp ?
11 Aug 2005 11:40:21 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project 
Hi,

In message <_A3051@delegate-en.ML_> on 08/11/05(18:13:52)
you Armin Wies <p44fqbdyi-pg3up56amedw.ml@delegate.org> wrote:
 |> If your host of DeleGate runs FTP server, then you can use it for the
 |> authentication with an AUTH parameter as this:
 |> 
 |>   AUTH="admin:*:dgadmin@localhost"
 |
 |OK, I've set up a ftp-server in order to test this. One can minimize the security risk when binding the ftp-server to the loopback-interface.
 |But anyway, isn't it a  bit strange to set up a ftp-server just to do authentication for an admin-account of a proxy-server ?
 |
 |My question was, are there any other ways (apart from ident) how authentication can be done.

"/-/admin" was tentatively implemented in 1995 in DeleGate/2.6.0, when
there were not SSL, PAM, Digest Authentication, and ...
After 10 years of leaving, now I'm reviewing and extending the remote
administaraion.  It will be released as DeleGate/9.0.5 soon.


 |>  |Maybe this is trivial, but I have not found out.
 |>  |
 |>  |Another issue: Is there a way how the admin-gui can be secured using
 |>  |SSL ? (And to disable http://mydelegatserver:port/-/admin ?)
 |>  |I don't like anybody sniffing my passwords on unencrypted connections.
 |> 
 |> You can make your DeleGate use SSL optionally when it detected SSL on
 |> the client-side connection, as this:
 |> 
 |>   STLS=-fcl
 |> 
 |> So the simplest solution for your requirment with proxy HTTP-DeleGate can
 |> be like this:
 |> 
 |>   delegated -P8080 SERVER=http STLS=-fcl AUTH="admin:*:dgamin@localhost"
 |> 
 |>   admin-URL: https://DeleGateHost:8080/-/admin/
 |
 |But this just adds SSL-support to the admin-pages, still you have the option to use them without SSL.
 |Is there a way how you can get rid of the unsecured admin-interface, or how to get rid of the admin-web-interface at all ?

In DeleGate, URL based access control is done with the MOUNT parameter.
For example, forbidding any access to /-/admin can be done like this:

  MOUNT="/-/admin/* = forbidden"


 |> I think "AUTH=admin" should have been obsoleted when "AUTHORIZER" parameter
 |> was introduced, especially when Digest-Authentication is introduced.
 |> Since we can easily use SSL, Digest-Aughentication, or PAM in DeleGate, 
 |> it might be the good time to do so.
 |
 |Well, in fact I don't understand too well how authentication issues are handled in DG.
 |I've read the AUTH and AUTHORIZER-sections of the manual dozens of times, but yet I don't understand wether I can use them synonymously or use one as an addition to the other. I'd highly appreciate some clarification in the manual.
 |I think that more examples could be of great help too...
 |
 |(This is just meant as a feedback: The manual is sometimes hard to understand, especialy when it comes to interaction of parameters. I'd be glad to give suggestions how to improve the manual, but yet I don't understand the issues myself)

I know the manual is so hard to read :-)
In general, or at least in this case, the reason is the specification
is unclear in my mind, or so immature to make me willing to write
enough documents.


 |I see that DG is like a swiss army knife when it comes to proxying. I realy like the way how resources can be mounted and translated into different protocols, I realy like the amount of protocols it understands (miles ahead of anything else I've ssen). I'm realy keen on using it in my productive environment, but I am highly depending on authentication mechanisms.
 |
 |I'd be very glad if you could give me some hints of how the concept of authentication works, and which possibilities of authentication there are.

Wait DeleGate/9.0.4 for a while.
The enclosed patch is a small subset of it with which you can use it
as this, when admin. user is to be authenticated as "dgadmin" with PAM:  

  MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:dgadmin"


 |Domo arigato gozaimas  :-)

Bitte :-)

Cheers,
Yutaka
--
  D G   Yutaka Sato <pfqcabdyi-pg3up56amedw.ml@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** ../delegate9.0.4/src/admin.c	Tue Mar  1 07:00:47 2005
--- src/admin.c	Thu Aug 11 19:57:26 2005
***************
*** 544,549 ****
--- 544,558 ----
  		return AuthStat;
  	AuthStat = (AuthStat & ~A_PASS) | A_EVALED_PASS;
  
+ 	if( *MO_Authorizer && *ClientAuthUser && ClientAuth.i_error==0 )
+ 	if( CTX_auth_admin(Conn,command,"FTP",ClientAuthUser) )
+ 	{
+ 		*ident = ClientAuth;
+ 		strcpy(who,ClientAuthUser);
+ 		AuthStat |= A_WITH_PASSAUTH|A_OK_PASSAUTHEN|A_OK_PASSAUTHOR;
+ 		return AuthStat;
+ 	}
+ 
  	if( !HTTP_getAuthorization(Conn,0,&xident,1) )
  		return AuthStat;
  	if( xident.i_Host[0] == 0 )
***************
*** 574,582 ****
--- 583,595 ----
  {	AuthInfo ident;
  
  	if( streq(arg,"admin_enabled") ){
+ 		if( *MO_Authorizer && *ClientAuthUser && ClientAuth.i_error==0 )
+ 			return 1;
  		return CTX_with_auth_admin(Conn);
  	}else
  	if( streq(arg,"fauth") ){
+ 		if( *MO_Authorizer && *ClientAuthUser && ClientAuth.i_error==0 )
+ 			fputs(ClientAuthUser,fp);
  		if( HTTP_getAuthorization(Conn,0,&ident,0) )
  			fputs(ident.i_user,fp);
  	}else
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V