<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>authentication on S Anand</title>
    <link>https://www.s-anand.net/blog/tag/authentication/</link>
    <description>Recent content in authentication on S Anand</description>
    <generator>Hugo -- 0.156.0</generator>
    <language>en-us</language>
    <lastBuildDate>Sat, 19 Nov 2011 13:58:36 +0000</lastBuildDate>
    <atom:link href="https://www.s-anand.net/blog/tag/authentication/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Protect static files on Apache with OpenID</title>
      <link>https://www.s-anand.net/blog/protect-static-files-on-apache-with-openid/</link>
      <pubDate>Fri, 18 Nov 2011 23:11:50 +0000</pubDate>
      <guid>https://www.s-anand.net/blog/protect-static-files-on-apache-with-openid/</guid>
      <description>&lt;p&gt;I moved from static HTML pages to web applications and back to static HTML files. There’s a lot to be said for the simplicity and portability of a bunch of files. Static site generators like &lt;a href=&#34;https://github.com/mojombo/jekyll&#34;&gt;Jekyll&lt;/a&gt; are increasingly popular; I’ve built a simple &lt;a href=&#34;https://bitbucket.org/sanand0/utils/src/tip/publish.make&#34;&gt;publisher&lt;/a&gt; that I use extensively.&lt;/p&gt;
&lt;p&gt;Web apps give you something else, though, that are still useful on a static site. Access control. I’ve been resorting to &lt;a href=&#34;http://httpd.apache.org/docs/2.2/programs/htpasswd.html&#34;&gt;htpasswd&lt;/a&gt; to protect static files, and it’s far from optimal. I &lt;strong&gt;don’t&lt;/strong&gt; want to know or manage users’ passwords. I &lt;strong&gt;don’t&lt;/strong&gt; want them to remember a new ID. I just want to allow specific people to log in via their Google Accounts. (OpenID is too &lt;a href=&#34;http://www.gibdon.com/2008/06/openid-is-confusing.html&#34;&gt;confusing&lt;/a&gt;, and most people &lt;a href=&#34;http://blog.stackoverflow.com/2010/04/openid-one-year-later/&#34;&gt;use Google anyway&lt;/a&gt;.)&lt;/p&gt;
&lt;p&gt;The easiest option would be to use Google &lt;a href=&#34;http://appengine.google.com/&#34;&gt;AppEngine&lt;/a&gt;. But their &lt;a href=&#34;http://code.google.com/appengine/docs/billing.html&#34;&gt;new pricing&lt;/a&gt; worries me. Hosting on EC2 is expensive in the long run. All my hosting is now out of a shared &lt;a href=&#34;http://www.hostgator.com/&#34;&gt;Hostgator&lt;/a&gt; server that offers Apache and PHP.&lt;/p&gt;
&lt;p&gt;So, obviously, I wrote a library protects static files on Apache/PHP using OpenID.&lt;/p&gt;
&lt;h3 id=&#34;download-the-code&#34;&gt;&lt;a href=&#34;https://github.com/sanand0/protectstatic&#34;&gt;Download the code&lt;/a&gt;&lt;/h3&gt;
&lt;p&gt;Say you want to protect &lt;code&gt;/home/www&lt;/code&gt; which is accessible at &lt;a href=&#34;http://example.com/&#34;&gt;http://example.com/&lt;/a&gt;.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Copy &lt;code&gt;.htaccess&lt;/code&gt; and &lt;code&gt;_auth/&lt;/code&gt; under &lt;code&gt;/home/www&lt;/code&gt;.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;In .htaccess, change &lt;code&gt;RewriteBase&lt;/code&gt; to &lt;code&gt;/&lt;/code&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;In &lt;code&gt;_auth/&lt;/code&gt;, copy &lt;code&gt;config.sample.php&lt;/code&gt; into &lt;code&gt;config.php&lt;/code&gt;, and&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;change &lt;code&gt;$AUTH_PATH&lt;/code&gt; to &lt;a href=&#34;http://example.com/&#34;&gt;http://example.com/&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;add permitted email IDs to &lt;code&gt;function allow()&lt;/code&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Now, when you visit &lt;a href=&#34;http://example.com&#34;&gt;http://example.com&lt;/a&gt;, you’ll be taken to Google’s login page. Once you log in, if your email ID is allowed , you’ll be able to see the file.&lt;/p&gt;
&lt;p&gt;Feel free to try, or &lt;a href=&#34;https://github.com/sanand0/protectstatic&#34;&gt;fork the code&lt;/a&gt;.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id=&#34;comments&#34;&gt;Comments&lt;/h2&gt;
&lt;!-- wp-comments-start --&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href=&#34;http://www.s-anand.net/&#34;&gt;S Anand&lt;/a&gt;&lt;/strong&gt; &lt;em&gt;19 Nov 2011 10:31 am&lt;/em&gt;:
I could. But what I&amp;rsquo;ve learnt is that while the static content on this site has survived 14 years, moving from host to host, the same can&amp;rsquo;t be said of ANY of the apps I&amp;rsquo;ve written to create the site. I&amp;rsquo;ve moved from shell scripts to Perl to Python to node.js&amp;hellip; and something else will come up. I can&amp;rsquo;t maintain this stuff. Fortunately, HTML will stay.
So I&amp;rsquo;m making the content primary. I just have a bunch of static files, and that&amp;rsquo;s the key. This is an OPTIONAL library that sits on the side. Without it, the worst that&amp;rsquo;ll happen is that the content becomes public. But otherwise, all URLs will remain unbroken. That&amp;rsquo;s a big win with this approach.
That&amp;rsquo;s also the reason I rejected AppEngine. For my volume of usage, pricing isn&amp;rsquo;t a serious issue. It&amp;rsquo;s simplicity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href=&#34;http://www.reviewgang.com&#34;&gt;Manu&lt;/a&gt;&lt;/strong&gt; &lt;em&gt;19 Nov 2011 5:59 am&lt;/em&gt;:
If you are willing to host it outside, then heroku allows one free instance per project.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href=&#34;http://www.s-anand.net/&#34;&gt;S Anand&lt;/a&gt;&lt;/strong&gt; &lt;em&gt;2 Dec 2011 10:09 pm&lt;/em&gt;:
I too will probably stay on WordPress for a while. But recently, I&amp;rsquo;ve been creating quite a few microblogs for various topics, and find that the workflow of Markdown -&amp;gt; Dropbox -&amp;gt; PHP -&amp;gt; HTML far too compelling to ignore. It&amp;rsquo;s worked quite well from an ease of publishing perspective. I&amp;rsquo;m still ironing out few edges. Will publish once I do.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href=&#34;http://thejeshgn.com&#34;&gt;Thejesh GN&lt;/a&gt;&lt;/strong&gt; &lt;em&gt;25 Nov 2011 11:56 am&lt;/em&gt;:
I was planning to move to static using &lt;a href=&#34;http://www.blogofile.com/&#34;&gt;http://www.blogofile.com/&lt;/a&gt; (python and variety of templating systems are supported). But I am still betting on wordpress for many things. One day I will probably move to static blog.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href=&#34;http://chmd.fr&#34;&gt;Christophe-Marie Duquesne&lt;/a&gt;&lt;/strong&gt; &lt;em&gt;22 Dec 2013 12:53 pm&lt;/em&gt;:
Hi,
Your post inspired me to write a lighttpd magnet script that protects content regardless of its nature (static or dynamic). I use it:
&lt;ul&gt;
&lt;li&gt;for protecting my (static) photo gallery and only giving access to people I select&lt;/li&gt;
&lt;li&gt;for protecting my (dynamic) rss reader and only giving access to myself&lt;/li&gt;
&lt;li&gt;for protecting my (dynamic) online file manager and only giving access to my girlfriend and myself.
It is completely pluggable, and it sets the REMOTE_USER server variable so that user-aware applications can use this mechanism to authentify you.
&lt;a href=&#34;https://lighttpd-external-auth.chmd.fr/&#34;&gt;https://lighttpd-external-auth.chmd.fr/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;!-- wp-comments-end --&gt;
</description>
    </item>
    <item>
      <title>Two Factor Authentication</title>
      <link>https://www.s-anand.net/blog/two-factor-authentication/</link>
      <pubDate>Thu, 17 Mar 2005 12:00:00 +0000</pubDate>
      <guid>https://www.s-anand.net/blog/two-factor-authentication/</guid>
      <description>&lt;p&gt;Bruce Schneier on &lt;a href=&#34;http://www.schneier.com/blog/archives/2005/03/the_failure_of.html&#34;&gt;The Failure of Two-Factor Authentication&lt;/a&gt;. &lt;a href=&#34;http://www.itsecurity.com/papers/rainbow2.htm&#34;&gt;Two factor authentication&lt;/a&gt; replaces passwords with two things: something you have (e.g. a security token that changes numbers every minute) and something you know (e.g. password). Bruce says this won&amp;rsquo;t help against two new kinds of attacks we&amp;rsquo;re seeing:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Man-in-the-Middle attack&lt;/strong&gt;. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank&amp;rsquo;s real website. Done right, the user will never realize that he isn&amp;rsquo;t at the bank&amp;rsquo;s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user&amp;rsquo;s banking transactions while making his own transactions at the same time.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Trojan attack&lt;/strong&gt;. Attacker gets Trojan installed on user&amp;rsquo;s computer. When user logs into his bank&amp;rsquo;s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.&lt;/p&gt;
&lt;/blockquote&gt;
</description>
    </item>
    <item>
      <title>Really stupid security policies</title>
      <link>https://www.s-anand.net/blog/really-stupid-security-policies/</link>
      <pubDate>Sun, 27 Oct 2002 12:00:00 +0000</pubDate>
      <guid>https://www.s-anand.net/blog/really-stupid-security-policies/</guid>
      <description>&lt;p&gt;&lt;a href=&#34;http://www.ravikiran.com/?Requestid=25&#34;&gt;Really stupid security policies&lt;/a&gt;. On three sites (two Indian) that don&amp;rsquo;t take security seriously. &lt;a href=&#34;http://www.ravikiran.com&#34;&gt;via Ravikiran&lt;/a&gt;&lt;/p&gt;
</description>
    </item>
    <item>
      <title>Using digital signatures</title>
      <link>https://www.s-anand.net/blog/using-digital-signatures/</link>
      <pubDate>Mon, 29 Jul 2002 12:00:00 +0000</pubDate>
      <guid>https://www.s-anand.net/blog/using-digital-signatures/</guid>
      <description>&lt;p&gt;Companies like L&amp;amp;T, Ashok Leyland, Infosys are &lt;a href=&#34;http://www.blonnet.com/stories/2002072900550200.htm&#34;&gt;using digital signatures&lt;/a&gt; already.&lt;/p&gt;
</description>
    </item>
  </channel>
</rss>
