Management of Samba

John Blair jdblair at frodo.tucc.uab.edu
Tue Mar 24 15:25:00 GMT 1998


> > (1) can be handled with SWAT, although most administrators would agree that
> > it is not as simple to use as it could be - And never will be overly simple
> > due to gaping holes in HTML that reduce functionality.
> 
> I'd be interested in what holes you are thinking of here. My plan at
> the moment is to use javascript to fill any really obvious interface
> holes, while trying to leave it fairly functional with non-javascript
> browsers. (for example, javascript is currently used for the
> auto-refresh code)
> 
> The big one I've pondered lately is authentication. HTTP
> authentication really is rather poor, with only https being a good
> general solution. Unfortunately https can only be used with MSIE if
> you pay a commercial certificate provider (a _really_ disgusting move
> by MS I think).

I wrote an MD5-based authentication widget in Java about a year ago.  I
used it to implement a standard challenge-response authentication system,
with the password stored in plaintext locally.  Access control also had to
be implemented seperately.  I handled this by imbedding hashes in <hidden
...> fields.  It wasn't perfect-- it was possible for somebody to hijack
the "chain of transactions," but it wasn't possible for somebody to re-use
a transaction.  The best solution I came up with for this problem was to
imbed an applet on every page (relying on caching to keep things fast) and
re-authenticating every time.  My practical solution was to authenticate
the user, then allow further connections from the same IP address (with
the right hash in the hidden field) until the user "logged out" or a timer
expired.  Obv., far from ideal, especially if the user is connecting from
a multi-user machine.

My hurdle at the time was that I didn't want the user to have to enter a
password every time, and I didn't know a secure way to pass a password
from one page to the next.  Pretty soon the need for the app passed (I
opted for https) and I forgot about it.  However, since then I learned how
to use frames.  I think it would be possible to keep the authentication
applet alive in one frame and have the other page query the auth applet
for the correct hash to gain access via javascript.  Every request could
then be considered seperately-- no need to store state information about
the connection on the server, which simplifies things considerably.

I bring this up b/c I wrote it pretty quickly (especially considering that
it was my first Java app) b/c I found an MDx library on gamelan that
implemented MD4 and MD5.  I might still have the code around (no promises
:). With some unicode conversion, this same library could be used to
implement NT-style password auth.  This would let SWAT authenticate users
against the smbpasswd file.  This would be very slick, and would let you
keep 99% of the action on html and javascript, where its easy and fast to
develop.

later,
 -john.

---------------------------------------------------------------------
John D. Blair          (sys|net)admin, the university computer center
mailto:jdblair at uab.edu                    u. of alabama at birmingham
phoneto:(205) 975-7123                        (my other car is a cdr)
---------------------------------------------------------------------




More information about the samba-technical mailing list