http://www.perlmonks.org?node_id=166875

TexasTess has asked for the wisdom of the Perl Monks concerning the following question:

Is there a way to authenticate who is visiting a page based on their unix ID? Assuming all who visit your page have logon IDs to a unix system, can you write a script in perl/cgi that checks this information when they browse to a page in netscape?

Replies are listed 'Best First'.
Re: Detect logon ID from Browser
by Cyrnus (Monk) on May 16, 2002 at 00:13 UTC
    For the first part of your question you should put all the pages you wish to protect inside folders and use the .htaccess file to specify users. on my host which is running apache under Redhat I have a folder with administrative tools. Two files are used to set up the autorization for that folder they are as follows (paths changed of course):

    .htaccess
    AuthName Authentication
    AuthType Basic
    AuthUserFile /path/to/protected/directory/.htpasswd
    <Limit GET POST>
    Require valid-user
    </Limit>

    .htpasswd
    usrname:encrypted_password

    Read up on .htaccess files for more info. I believe there is a way for it to use the /etc/passwd file for authentication but am unsure of the specifics.

    For the second part of your question this node http://www.perlmonks.org/index.pl?node_id=107095 contains a peice of code that will tell you what information you can get from the %ENV hash.

    John

      Hey! Thanks for the quick reply! Let me expand my question a little bit... I am going to require the user to enter a logon id before they are granted entry, I then want to verify that the logon ID and the individual entering are one and the same..then check to see they are on the list of accepted users. I don't want to check passwords nor do I want to require a password to gain entry.... Is this a bit clearer? Thanks in advance..
        Unfortunatly, what your looking for may not be possible. The problem is, it's really trivial for a browser to fake information like that, you'd be diving head first into a security nightmare.

        There may be a way around that though, but it might cost a few dollars. In the same way that a web server needs a digital certificate in order to do secure transactions, browsers can be given certificates too, in order to verify a person's identity. You'd have to go through a company like Verisign to do that, and you might end up spending $50 a user or so. On the server end, you could have some code to check the certificate the browser is presenting you with. If you recognize the certificate, you could authenticate them.

        Thats about the only way you can verify a users identity, without asking for a password. And then, that only works so long as the user doesn't have their certificate stolen ;-)

        Hope that helps!
        -Eric

        --
        Lucy: "What happens if you practice the piano for 20 years and then end up not being rich and famous?"
        Schroeder: "The joy is in the playing."
        Hi,
        I was recently in a similar position to you - needing an authentication system to be used in an internal intranet, and I really didn't like the idea of a password system - after all, we're a small friendly company, where everybody knows everybody else, and we can all be trusted, right?
        Your users, like mine, probably can be trusted, but I think that authentication is about more than just trust.

        I ended up building a system based on Apache::AuthCookie that required passwords and usernames, which works pretty damn well. To my surprise, there was not a murmer of complaint from the users - in fact the authentication has proved to be useful by providing accountability: "Ah, Fred moved this frobulator last Tuesday, I'll go talk to him"
        Basically, authentication systems can be well worth the effort, and a password-based system doesn't have to be that hard to use, so I'd advise thinking about whether the standard username/password combo would really be that much of a problem.
        This is total and utter opinion, so feel free to ignore my ramblings :-)
        cheers.
        davis
        Is this going out live?
        No, Homer, very few cartoons are broadcast live - it's a terrible strain on the animator's wrist
      First, thanks to all who have replied to this request

      I think I have figured out how I am going to implement my system. The logon accounts preset certain netscape parameters, and I checked it out today. In the preferences section there is an option to use your email address as a password for anonyomous (gosh I can't spell!) FTP, I think I can get that information by making the request (not sure about this..didn't have time to research it) and verifying that their logon is in the list provided by the administrator of the tool. I can also take this information and set it to a variable to sign any entries they make and I think it will work. I tried changing my settings today and as soon as I rebooted it reset to the defaults, so a user would really have to be deliberatly deviant to trick the system. I really have little concern for security on this intranet and my users already have a chitload of passwords to remember..each one has at least 7 or 8 so I don't want to force any more.

      Any thoughts on this idea would be greatly appreciated!

      TexasTess :-)
Re: Detect logon ID from Browser
by mattr (Curate) on May 16, 2002 at 06:03 UTC
    Generally the answer is no, but.. technically I think the answer might be yes if you can get your user to run a program (written in Perl though they don't need to know) to do so.

    With the getpwuid command in Perl (or unix command line) you can get your login. I suppose the script could send this information in an encrypted signed hash as a cgi parameter to your server-side cgi program.

    The information could be sent by having the client-side script open this composed URL in netscape. I sometimes use the following to open a picture in netscape.. probably this wouldn't be secure if you can read the source or replace it with your own script, so no guarantees. Also the URL would go out as cleartext if you are not running ssl.

    cat /sbin/nsopen #!/usr/bin/perl $in = shift; $cmd = "netscape -remote \'openURL(" . $in . ")\'"; system $cmd;

    The above code just opens a page in Mozilla. Possibly this kind of thing could be done in Windows too.

    Update: I was thinking that this was a closed environment where you are running the server and everyone is logged in to it already. Otherwise, as Zaxo mentioned this is probably not a snooper script you will be able to get people to install. Was thinking of X based gui clients for astronomy or the mysql gui. Maybe not applicable to what you want to do.

      This would be in a closed environment where spoofing a username would not be a concern, it's going to be on an intranet where there is no "world" access. I'm going to try messing around with the code you've provided but will start developing login/passwords in the meantime..thanks for your advice..if you think of anything else...I'd love to hear it! TexasTess "Great spirits often encounter violent opposition from mediocre minds" --Einstein
        Got Logons/passwords working with a Cookie tracker today..I have a co-worker who is a whiz with encription keys that developed a nifty bit of code for protecting the passwords. Thanks again for your help, I Am SOO glad I found this site..it's great!

        TexasTess
        "Great Spirits Often Encounter Violent Opposition From Mediocre Minds" --Albert Einstein