Dead-simple web authentication for a single user

views:

250

answers:

Dead-simple web authentication for a single user

I wrote a small internal web app using (a subset of) pylons. As it turns out, I now need to allow a user to access it from the web. This is not an application that was written to be web facing, and it has a bunch of gaping security holes.

What is the simplest way I can make sure this site is securely available to that user, but no one else?

I'm thinking something like apache's simple HTTP authentication, but more secure. (Is OpenID a good match?)

There is only one user. No need for any user management, not even to change password. Also, I trust the user not to damage the server (it's actually his).

If it was for me, I would just keep it behind the firewall and use ssh port forwarding, but I would like to have something simpler for this user.

EDIT: Hmm... judging by the answers, this should have been on serverfault. If a moderator is reading this, consider migrating it.

+8 A:

if there's only a single user, using a certificate would probably be easiest.

Dave Webb 2009-05-13 14:08:56

certificates are more reliable than ip address, go with this one.

Malfist 2009-05-13 14:10:17

That looks good. Got a similar page for Ubuntu, by any chance?

itsadok 2009-05-13 14:44:19

Google found that one for me. I'm sure it can work the same magic for you. :-)

Dave Webb 2009-05-13 14:56:01

I'm looking, I'm looking... :(

itsadok 2009-05-13 15:20:31

Apparently I needed to look no further than /etc/apache2/sites-available/default-ssl under ubuntu 9.04...

itsadok 2009-05-14 12:26:12

+2 A:

Basic HTTP authentication can be bruteforced easily by tools like brutus. If his ip is static you can allow his ip and deny all others with htaccess.

Malfist 2009-05-13 14:09:47

Use HTTP Digest, it's considerably more secure.

S.Lott 2009-05-13 14:11:50

HTTP Digest is only better than Basic HTTP Auth because the password isn't transmitted plaintext but both can easily be bruteforced.

Malfist 2009-05-13 14:14:22

The wikipedia article also states that it's encrypted data transfer is exploitable by rainbow tables, which means there's not a whole lot of difference between Basic Auth and Digest. Digest is just harder to break initially. Both forms offer a false sense of security.

Malfist 2009-05-13 14:17:50

Only you have the patience, rainbow tables, and the server doesn't handle the nonces well. Watching the IP addresses requesting nonces makes it very difficult to brute force; the server can count requesting addresses over a short period of time and refuse to cooperate with any address over some limit.

S.Lott 2009-05-13 14:20:40

Sniff the network, steal the transmission. Rainbow tables can crack it in a few minutes if it's not a complex password, hours if it is. Then you have the password without ever once attempting to log into the server.

Malfist 2009-05-13 19:35:57

+4 A:

How about VPN? There should be plenty of user-friendly VPN clients. He might already be familiar with the technology since many corporations use them to grant workers access to internal network while on the road.

freespace 2009-05-13 14:10:49

ansaurus

tags:

views:

answers:

Dead-simple web authentication for a single user

related questions