[Swan] UPDATE Re: Authentication with pam_url and nonces
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Tue Feb 8 16:17:36 EET 2022
SSLVerifyClient did not exactly work out of the box on our apache2
server, and I don't have
liberty to experiment with it ...
pam_url with HMAC-SHA-2 just works, and I believe it has sound logic:
HMAC-SHA-256 protected the
URL POST fields from tampering in the man-in-the-middle attacks and the
script return code.
However, brute forcing CGI PHP script presents a problem, and mTLS still
seems like a way to do it, if only
I could make it work for me.
Mirsad
On 2/7/2022 7:51 PM, Paul Wouters wrote:
> If you feel the pam TLS calls needs more than server side cert verification, you should look into client authentication, eg mTLS. Don’t invent your own crypto.
>
> Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list