1 |
On Tuesday 19 Jan 2016 15:59:25 Grant wrote: |
2 |
> >> > I'm sorry, I meant can I lock down access to my web stuff so that a |
3 |
> >> > particular user can only come from a particular device (or from any |
4 |
> >> > device containing a key). |
5 |
> > |
6 |
> > You can use apache client authentication with SSL certificates only. Of |
7 |
> > course you will need to create a self-signed CA, which you will use to |
8 |
> > create the web server public/private key pair and also sign each client's |
9 |
> > certificate and upload it along with your CA certificate to the user's |
10 |
> > browser. This explains the principle: |
11 |
> > |
12 |
> > http://wiki.cacert.org/HELP/9 |
13 |
> > |
14 |
> > |
15 |
> > Ditto with the VPN connection - should you still want to use VPN. |
16 |
> |
17 |
> Let me see if I'm following. I could create a certificate and point |
18 |
> the browser to it in config and configure my web server to require the |
19 |
> certificate for HTTP basic authentication? |
20 |
|
21 |
Well, yes, but it won't be HTTP. It will be HTTPS. The server will request a |
22 |
client certificate, verify that it has been signed by the CA you defined in |
23 |
SSLCACertificateFile and allow it to access the web directory. You can allow |
24 |
different certificates per directory on your server, if you so wish and define |
25 |
in SSLRequire directive which SSL_CLIENT_S_DN_OU values are acceptable; e.g. |
26 |
|
27 |
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Grant's Software, Ltd." \ |
28 |
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Testers", "Dev"} |
29 |
|
30 |
|
31 |
You will need to have the Client Certificate and private key imported in the |
32 |
user's browser, or in MSWindows also import them using certmgr.msc to make |
33 |
them available to any Windows-centric applications. |
34 |
|
35 |
|
36 |
> Can I require a |
37 |
> username/password along with the certificate? Can I require the |
38 |
> certificate only for certain users? |
39 |
|
40 |
Yes, but for specifics have a look under SSLOptions: |
41 |
|
42 |
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions |
43 |
|
44 |
Read FakeBasicAuth and StrictRequire. So, for example: |
45 |
|
46 |
SSLOptions +FakeBasicAuth +StrictRequire |
47 |
|
48 |
will allow client SSL certificate authentication as an alternative to Basic |
49 |
passwd authentication. |
50 |
|
51 |
|
52 |
> > If a user certificate is lost of feared compromised, you revoke it with |
53 |
> > your CA and upload the CRL to the server. |
54 |
> > |
55 |
> > However, this won't do away with XSS, or other similar attack vectors if |
56 |
> > the users are not careful with their browsing habits. |
57 |
> |
58 |
> Can you give me an example? |
59 |
|
60 |
If your coder has another website page open in his/her browser which contains |
61 |
for example XSS or CSRF code, then the webpage of your company's web app could |
62 |
be potentially compromised by your user inadvertently executing state changing |
63 |
commands on it. By providing a XSS payload the attacker could execute |
64 |
commands to change username/passwd, change email address, etc. This is one |
65 |
reason that Internet Banking providers always advise their users to log out |
66 |
and then exit their browser when they have finished their online banking. |
67 |
|
68 |
-- |
69 |
Regards, |
70 |
Mick |