Two-for-One Paranoid Module Request

These are old archives. They are kept for historic purposes only.
Post Reply
Posts: 46
Joined: Tue Jun 07, 2005 7:28 am

Two-for-One Paranoid Module Request

Post by sdamon »

Module Request: Multifactor Authentication
Provide a means where multiple authentications are required to do an action that requires a password.

In my vision of implementation, this would work as follows:
In an example vhost block, the password is set the arbitrary name of a “multifactor authentication configuration block”, and the auth-type would be set to something along the lines of “multifactor;”. The named “multifactor authentication configuration block” would contain a block name (obviously), a block value with the arbitrary name assigned it, and 1 or more of the currently implemented password directives. When all the criteria for the password directives is satisfied, a mode is set (or some other more secure means) that would indicate successful authentication, allowing the user to activate the passworded command (in this example, vhost). In this manor, a user with access to multiple passworded commands could authenticate only once, and receive access, though this is NOT the point.

The point is, after all, multifactor authentication. Unreal already has some multifactor authentication built in. When so configured, a user must connect from a specified host and provide the correct command to authenticate.

This module doesn’t make a whole lot of sense if you use just a couple of passwords in the authentication block. It does make sense if one of the password directives is ssl keyshareing. With such a module you could authenticate a user with triple factor authentication: something they know (password), where they are (their hostmask), and what they are connecting with (ssl on a client configured to provide a known certificate).

EDIT: The means for password based authentication is non-obvious. One method could be a "pass along", sending the password portion of the, example, vhost command to the multifactor authentication module, to be used for one of the passwords in question. another method could be a /password command that would match the input against the list of authentication types. the command would be repeated until all passwords have been satisfied, and the aforementioned mode or secure identifier is set, and the user can /vhost to their hearts content, unrestrained by the password portion of that command altogether (much like SSL keyshareing is now).

I said this is a two for one request, so here’s two…

Module Request: OpenID Password directive
Provide a means for authentication via OpenID, an open authentication framework allowing authentication to be done by remote parties.

Now, this doesn’t make sense for say, using your yahoo account’s OpenID (their implementation of the server wouldn’t really allow it anyways), but it does make sense for using VeriSign’s football, or a YubiKey.

The password directive would, to my understanding of OpenID, take the authenticated name as the value, and an arbitrary name set by the module as the authentication type (in my vision, “openid”. I am not very creative when it comes to naming directives).

The authentication process would be as follows:
The user enters a command that requires a password. For the password, the user provides an OpenID URL (or optionally, only the individualized portion of the URL if the server is configured to ONLY check against one OpenID service). For services like the one provided for the YubiKey and the VeriSign football, the individualized portion will include all that it needs for authentication, and return immediately with a positive or negative authentication response, along with the authenticated name. Other services may provide similar functionality, but this is on a per-server basis. For example Yahoo’s OpenID services require web based authentication and thus would be unsuitable for this implementation.

Now these two kinda make sense together in a paranoid way.
Post Reply