1 / 6

Secure Authentication A Brief Overview

AfNOG 2007 April 26, 2007 Abuja, Nigeria Hervey Allen. Secure Authentication A Brief Overview. What are we talking about?. Any service you run that authenticates should not do so in the clear. This includes: pop imap shell login file transfer web login (think webmail)

Download Presentation

Secure Authentication A Brief Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AfNOG 2007 April 26, 2007 Abuja, Nigeria Hervey Allen Secure AuthenticationA Brief Overview

  2. What are we talking about? Any service you run that authenticates should not do so in the clear. This includes: • pop • imap • shell login • file transfer • web login (think webmail) • sending (think smtp)

  3. Some replacements INSECURESECURE PORT ==> PORT POP POPS w/ssl cert 110 995 IMAP IMAPS w/ssl cert 143 993 TELNET SSH 23 22 FTP SFTP or SCP 21* 115 HTTP HTTPS 80 443 • http upload is harder • anonymous ftp is OK. Watch uploads • *dynamic port ranges for connections

  4. Avoiding the ssh tunnel SSH tunneling is cool and powerful, but can circumvent some secure practices and is hard for most users. You can use pops, imaps, and smtp with tls to remove the need for most ssh tunnels. This can avoid the need for users doing this. ssh -C -f username@host.domain -L 1100:localhost:110 sleep 10000

  5. It can be painful... Windows has no built-in ssh/sftp/scp client. This can make secure shell login requirements painful. For secure web login simply force the login page to be https. Most scripting and programatic interfaces make this easy. In PHP: if ($_SERVER["HTTPS"] != 'on') { header("Location: https://" .$_SERVER['SERVER_NAME'] \.$_SERVER['PHP_SELF']."?referrer=$referrer"); }

  6. But, it's worth it Start to get your user community used to the idea of “no passwords in the clear” Has the potential to steer your organization clear of potential liability issues in the future. You'll sleep better at night... ;-)

More Related