Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Restricting access to Perl sacripts based on PKI certs

by rgwest61 (Initiate)
on Jun 29, 2015 at 20:42 UTC ( [id://1132524]=perlquestion: print w/replies, xml ) Need Help??

rgwest61 has asked for the wisdom of the Perl Monks concerning the following question:

I have a security requirement to limit access to developed Perl scripts within a Linux environment based on a user's PKI certificates. Does something already exist to do such, or is this more of a system security acti

Replies are listed 'Best First'.
Re: Restricting access to Perl sacripts based on PKI certs
by RonW (Parson) on Jun 30, 2015 at 21:43 UTC

    Are these users logging into computers running Linux? If so, this probably a system security issue. If you need to layer application level access control on top of the system access controls, there are different possible ways to do this. More information is needed.

    Is this a website running under Linux? If so, it is possible to create authentication and authorization modules for, at least, the Apache web server. The authentication module would verify the user's credentials and save a session record indicating which certificate(s) the user used. The authorization module would then use the information in the session record to grant/deny access to various resources provided through the web server.

    Again, more information is needed.

    Update: Fixed typos.

Re: Restricting access to Perl sacripts based on PKI certs
by sundialsvc4 (Abbot) on Jun 29, 2015 at 23:16 UTC

    Ordinarily, I see authentication/authorization tasks being handled by an infrastructure such as LDAP (OpenDirectory), or Kerberos.   (In this case, the latter sounds more like what you are looking for.)   PKI techniques are fundamental to these, but you don’t have to deal with them directly.

    Ordinarily, access to the restricted script (or web site/page) is restricted externally to the script itself:   “if you are not authorized, then you don’t get that far.”   The script, if successfully accessed at all, therefore knows that the user is authorized (and, of course, can verify this, itself).   Trusted APIs are also available by which the script itself obtain the user’s trusted identity and can [ask the infrastructure to] do further authorization checks.   In some cases this extends straight-through to the database and other servers, who are able to know on whose behalf your script is working.

    And, especially in any business/commercial setting, IMHO this is the only way to go. . .   Yes, of course, Perl/CPAN has all the necessary goodies.

    Companies are learning ... the hard way ... the importance of having a single, comprehensive and consistent, way of handling authorization/authentication in a global, corporation-wide fashion.   “Roll your own” solutions, such as might be called-for in a single public web site with no serious security requirements, are not what these companies want.   They want to set up a single strategy, e.g. using one of the technologies mentioned above, and then be able to audit that every application respects it and conforms to it, with multiple security checks.   The central authority is consulted by web servers, by VPNs, by logins, by everything in the world, and the auditors very patiently and very repeatedly check that this is so.   Everyone consults the central authority, and of course PKI is a key technical component of these (invisible-to-you) processes.   No one and nothing forges their own path.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1132524]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (4)
As of 2024-03-19 10:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found