HTTP/CLI Authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
EnDroid |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Allow authentication over HTTP using standard HTTP authentication. I'm not sure how authentication would be performed server side (ie. what would be done with the username and password to determine if the user is who he says he is). Presumably LDAP, although I can't find a builtin/twisted LDAP module.
Also a scheme which means CLI commands can be used without having to enter a password each time. Possible thoughts on this:
1) Store password in a chmod 600 plain-text (or some obfuscated form). Bad for security reasons, but compatible with HTTP auth above.
2) Store a cookie in a chmod 600 plain-text file. The cookie is generated (randomly) by successfully authing with some other method. The cookie can be included with requests, which the server authenticates by looking up in a DB of (hashed?) cookies. This is similar to the scheme many websites use. Susceptible to the cookie being sniffed on the wire. Can provide a "logout" option to revoke the current cookie.
3) Same as above, except the cookie is hashed with the message content and maybe some sort of timestamp? Avoids the cookie sniffing issue, but has extra complexity, in particular defining a canonical form for the message to be hashed. May be difficult as the URL is represented differently on the server side vs the client (indeed, Apache rewrite rules may rule out this scheme entirely.)
4) OAuth type system. AFAICT this is similar to the cookie scheme, except there's the possibility to have multiple cookies, and for them to be explicitly managed to e.g. permit/allow certain abilities, or revoke entirely.
5) OpenPGP based authentication. This way the "authentication token" is only known to the client. Equivalent (I think) to SSH'ing using PKA using files in ~/.id_rsa{,.pub}.
Personally, I like option #2. #1 is an obvious security no-no, #3 - #5 seem overkill (ie. adding UX and code complexity for little benefit.)