| 1 |
On Tuesday 19 Jan 2016 15:59:25 Grant wrote: |
| 2 |
> >> > I'm sorry, I meant can I lock down access to my web stuff so that a |
| 3 |
> >> > particular user can only come from a particular device (or from any |
| 4 |
> >> > device containing a key). |
| 5 |
> > |
| 6 |
> > You can use apache client authentication with SSL certificates only. Of |
| 7 |
> > course you will need to create a self-signed CA, which you will use to |
| 8 |
> > create the web server public/private key pair and also sign each client's |
| 9 |
> > certificate and upload it along with your CA certificate to the user's |
| 10 |
> > browser. This explains the principle: |
| 11 |
> > |
| 12 |
> > http://wiki.cacert.org/HELP/9 |
| 13 |
> > |
| 14 |
> > |
| 15 |
> > Ditto with the VPN connection - should you still want to use VPN. |
| 16 |
> |
| 17 |
> Let me see if I'm following. I could create a certificate and point |
| 18 |
> the browser to it in config and configure my web server to require the |
| 19 |
> certificate for HTTP basic authentication? |
| 20 |
|
| 21 |
Well, yes, but it won't be HTTP. It will be HTTPS. The server will request a |
| 22 |
client certificate, verify that it has been signed by the CA you defined in |
| 23 |
SSLCACertificateFile and allow it to access the web directory. You can allow |
| 24 |
different certificates per directory on your server, if you so wish and define |
| 25 |
in SSLRequire directive which SSL_CLIENT_S_DN_OU values are acceptable; e.g. |
| 26 |
|
| 27 |
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Grant's Software, Ltd." \ |
| 28 |
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Testers", "Dev"} |
| 29 |
|
| 30 |
|
| 31 |
You will need to have the Client Certificate and private key imported in the |
| 32 |
user's browser, or in MSWindows also import them using certmgr.msc to make |
| 33 |
them available to any Windows-centric applications. |
| 34 |
|
| 35 |
|
| 36 |
> Can I require a |
| 37 |
> username/password along with the certificate? Can I require the |
| 38 |
> certificate only for certain users? |
| 39 |
|
| 40 |
Yes, but for specifics have a look under SSLOptions: |
| 41 |
|
| 42 |
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions |
| 43 |
|
| 44 |
Read FakeBasicAuth and StrictRequire. So, for example: |
| 45 |
|
| 46 |
SSLOptions +FakeBasicAuth +StrictRequire |
| 47 |
|
| 48 |
will allow client SSL certificate authentication as an alternative to Basic |
| 49 |
passwd authentication. |
| 50 |
|
| 51 |
|
| 52 |
> > If a user certificate is lost of feared compromised, you revoke it with |
| 53 |
> > your CA and upload the CRL to the server. |
| 54 |
> > |
| 55 |
> > However, this won't do away with XSS, or other similar attack vectors if |
| 56 |
> > the users are not careful with their browsing habits. |
| 57 |
> |
| 58 |
> Can you give me an example? |
| 59 |
|
| 60 |
If your coder has another website page open in his/her browser which contains |
| 61 |
for example XSS or CSRF code, then the webpage of your company's web app could |
| 62 |
be potentially compromised by your user inadvertently executing state changing |
| 63 |
commands on it. By providing a XSS payload the attacker could execute |
| 64 |
commands to change username/passwd, change email address, etc. This is one |
| 65 |
reason that Internet Banking providers always advise their users to log out |
| 66 |
and then exit their browser when they have finished their online banking. |
| 67 |
|
| 68 |
-- |
| 69 |
Regards, |
| 70 |
Mick |
Archives