#404 (ok 3.1) SweKey Hardware Authentication Key

closed-accepted
1
2008-11-28
2008-05-26
Luc Andre
No

This patch allow the use of the Feebee Hardware Usb Authentication Key.
The hardware authentication is enabled only if a file "feebees.conf" is detected next to index.php.
The hardware authentication is enabled only for auth_type = cookie yet.
Changes are very minimal in the existing code (only cookie.auth.lib.php is affected), all the specific code has been centralized
in the libraries/auth/feebee directory.
The Feebee authentication key is not commercialized yet but I can send free samples if required for testing.
3 users strings exist but are not localized yet.

Discussion

1 2 > >> (Page 1 of 2)
  • Luc Andre

    Luc Andre - 2008-05-26

    tortoise generated patch file

     
  • Marc Delisle

    Marc Delisle - 2008-05-27

    Logged In: YES
    user_id=210714
    Originator: NO

    Maybe some strings can be put in config.inc.php (and libraries/config.default.php), like the domain name of the token server and the name and location of feebees.conf (in case a sysadmin installs many versions of PMA and wants to avoid duplicating this file).

    Also, this works only on Internet Explorer, right? (because of the ActiveX requirement).

     
  • Luc Andre

    Luc Andre - 2008-05-27

    Logged In: YES
    user_id=2097087
    Originator: YES

    The domain name for authentication server will never change, the access to all our servers is (and will remain) free of charges.

    I'll add the following line in config.inc.php
    $cfg['Servers'][$i]['auth_feebee_config'] = './feebees.conf';

    The supported browsers are IE (ActiveX), Firefox (plugin) and Safari (plugin)

     
  • Marc Delisle

    Marc Delisle - 2008-05-28

    Logged In: YES
    user_id=210714
    Originator: NO

    A reference for the Firefox plugin, please?

     
  • Luc Andre

    Luc Andre - 2008-05-28

    Logged In: YES
    user_id=2097087
    Originator: YES

    You can find the reference to the plugin in the code:
    <embed type="application/fbauth-plugin" width=1 height=1 hidden="true" id="fbauth"><br>

    If the user plugged a key you can be sure that theplugin is installed on the PC because our usb key uses an auto-install mechanism that install all the required software when plugged.

     
  • Michal Čihař

    Michal Čihař - 2008-06-01

    Logged In: YES
    user_id=192186
    Originator: NO

    Just a quick review of the patch:

    - please use PMA_Message::error instead of duplicating code
    - $user_input_disabled breaks XHTML
    - would not be better to have separate auth method instead of mixing up with cookie?
    - comment on top of libraries/auth/feebee/fbauth.php seems to be incomplete
    - you try to read /tmp/feebee-rnd-token while you write to /tmp/rnd-token (anyway using hard coded file names is a bad idea, security issue and will fail on Windows)
    - what is reason for getting "random" tokens over http? can not they be generated locally?
    - please use php doc style comments, so that documentation can be generated automatically
    - please include documentation on how authentication actually is supposed to work
    - I don't know what key in FbAuth_SetUnplugUrl is actually used for, but IMHO it should include some identification of phpMyAdmin instance to avoid mixing up different phpMyAdmin installations

     
  • Luc Andre

    Luc Andre - 2008-06-02

    Logged In: YES
    user_id=2097087
    Originator: YES

    > - please use PMA_Message::error instead of duplicating code
    The error messages are not localized yet, that's why I didn't use it.

    > - $user_input_disabled breaks XHTML
    What can I use as a replacement to force a text input to be read only ?

    >- would not be better to have separate auth method instead of mixing up
    > with cookie?
    No, because Feebee Authentication is an add-on to the cookie authentication and also requires the cookie code.
    I plan to add it to the http authentication too.

    > - comment on top of libraries/auth/feebee/fbauth.php seems to be
    > incomplete
    I'll fix it

    > - you try to read /tmp/feebee-rnd-token while you write to /tmp/rnd-token
    > (anyway using hard coded file names is a bad idea, security issue and will
    > fail on Windows)

    Using temp file to store the random token is just an optimization and can fail.
    I'll fix the code anyway for the next release (the code will be in fbauth.php)

    > - what is reason for getting "random" tokens over http? can not they be
    > generated locally?

    No, that's a security issue since the randon token can only be created by an authentication server and remains usable only 2 minutes.

    > - please use php doc style comments, so that documentation can be
    > generated automatically

    I'll fix it

    > - please include documentation on how authentication actually is supposed
    > to work

    I'll put a link on the documentation from our web site as soon as it will be completed.

    > - I don't know what key in FbAuth_SetUnplugUrl is actually used for, but
    > IMHO it should include some identification of phpMyAdmin instance to avoid
    > mixing up different phpMyAdmin installations

    The unplug url is called when a key is phisically unpluged from the user's computer.
    The key is the PHP session_id and I unset it to force a relogin (since unplugging the key is considered as an logout).

    Thanks for your feedback,

    Luc

     
  • Marc Delisle

    Marc Delisle - 2008-06-06
    • assigned_to: nobody --> lem9
     
  • Marc Delisle

    Marc Delisle - 2008-06-06

    Logged In: YES
    user_id=210714
    Originator: NO

    * To be XHTML-compliant, use
    readonly="readonly"

    * for temp file, you can verify the PMA_IS_WINDOWS constant (see import.php)

    * I got your key samples, will you provide a new patch version soon?

     
  • Luc Andre

    Luc Andre - 2008-06-09

    Logged In: YES
    user_id=2097087
    Originator: YES

    Thanks for you comments.
    The proposed changes have been done and I enclosed the new version of the patch.

    Changes:
    - PMA_Message::error is used for error messages
    - configuration file location is no longer hardcoded ($cfg['Servers']['auth_feebee_config'])
    - Fixed XHTML compatibility problem
    - Last version of fbauth.php has been used with php doc comments
    - No longer hardcode temp dir, we use (sys_get_temp_dir() when available)

    Thanks,

    Luc
    File Added: feebee_authentication_v2.zip

     
  • Marc Delisle

    Marc Delisle - 2008-06-10

    Logged In: YES
    user_id=210714
    Originator: NO

    Tried patch v2 under PHP 5.2.6:
    PHP Fatal error: Cannot redeclare feebee_auth_check() (previously declared in phpMyAdmin/libraries/auth/feebee/feebee.auth.lib.php:6) in /phpMyAdmin/libraries/auth/feebee/feebee.auth.lib.php on line 134

     
  • Luc Andre

    Luc Andre - 2008-06-10

    Logged In: YES
    user_id=2097087
    Originator: YES

    Sorry, but I think this is a well known tortoise bug when the patch contains new files.
    The path is applyed twice to the new files and their size is doubled.
    You have to remove the second (or first) half of each new file to make it work.
    I don't know if it is a patch maker or a patch applier bug.

    Sorry for the inconvience,

    Luc

     
  • Marc Delisle

    Marc Delisle - 2008-06-10

    Logged In: YES
    user_id=210714
    Originator: NO

    I see. Also:

    - you need to add
    $cfg['Servers'][$i]['auth_feebee_config'] = '';
    in libraries/config.default.php (with some doc) to avoid a "undefined index" warning

    - To test it, is this the only configuration parameter needed? I applied the patch, removed the double lines, added
    $cfg['Servers'][$i]['auth_feebee_config'] = './feebees.conf';
    to my config.inc.php, never connected the key. With no key plugged, I am not refused access.

     
  • Luc Andre

    Luc Andre - 2008-06-10

    Logged In: YES
    user_id=2097087
    Originator: YES

    I didn't know about the config.default.php files, I only modfied the config.sample.inc.php
    I'll fix it

    Do activate the hardware authentication the './feebees.conf' file MUST exists.
    The patch contains a 'feebees.sample.conf' that explain the format of the file.

     
  • Marc Delisle

    Marc Delisle - 2008-06-10

    Logged In: YES
    user_id=210714
    Originator: NO

    The file ./feebees.conf exists but I don't know what to put in it.

     
  • Luc Andre

    Luc Andre - 2008-06-10

    Logged In: YES
    user_id=2097087
    Originator: YES

    Here is the feebees.sample.conf (I thought I added it in the patch but I may be wrong)

    To get the id of your feebee just go on the http://auth-sample.musbe.com page while your feebee is connected.
    File Added: feebees.sample.conf

     
  • Marc Delisle

    Marc Delisle - 2008-06-11

    Logged In: YES
    user_id=210714
    Originator: NO

    There was a feebees.sample.conf included but it lacked the important phrase "to get the id of your feebee...". Now I can proceed to test.

    P.S. when I got the mail from "Musbe Operation Center", as seen in Thunderbird it was all blank. I had to check the mail source code to see the link to click. Please fix this :)

     
  • Marc Delisle

    Marc Delisle - 2008-06-11

    Logged In: YES
    user_id=210714
    Originator: NO

    Ok it works well for me. When I unplug I can still continue to work in phpMyAdmin, is this normal? (tested in IE7 and FF 2).

     
  • Marc Delisle

    Marc Delisle - 2008-06-11

    Logged In: YES
    user_id=210714
    Originator: NO

    Do you agree if I put feebees.sample.conf into our contrib directory, with some mention of it in contrib/README including a URL to your company's website?

    Also, I'll need some doc for Documentation.html.

     
  • Luc Andre

    Luc Andre - 2008-06-11

    Logged In: YES
    user_id=2097087
    Originator: YES

    That's ok for me.

    I'll also submit documentation as soon as I will got it.

     
  • Michal Čihař

    Michal Čihař - 2008-06-12

    Logged In: YES
    user_id=192186
    Originator: NO

    Few more concenrs about security of this solution (I did not look in much details at the code and there is no documentation how it really works, so maybe I missed something):

    1. Is there some protection against faking authentication server? From quick look faking server with something what replies "HTTP/1.0 200 OK\n\nOK" to every request might do the job.

    2. File feebees.conf should not be accessible over web as I think token IDs should not be publicly available.

     
  • Luc Andre

    Luc Andre - 2008-06-12

    Logged In: YES
    user_id=2097087
    Originator: YES

    You are right for http, "OK" can be faked using ip masquerading but we have optional access to https authentication servers. I'll add a new configuration variable to be able to customize the server name.

    For token ids, you don't care if they are publicly available, you can't do anything with a stolen id.

    Thanks for your feedback.

    Luc

     
  • Michal Čihař

    Michal Čihař - 2008-06-13

    Logged In: YES
    user_id=192186
    Originator: NO

    Simply changing URL to https without certificate verification changes exactly nothing. Setting up http or https server is not a difference.

     
1 2 > >> (Page 1 of 2)

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks