Re: [LANdb] Proposed login system

Well, here's pseudocode for the system that keystone uses - it's pretty
similar to the stuff you've outlined here.  it uses the "superuser"
type username/password for connecting to the db, and depends on having a
"secret", which should be a unique string kept as secret as any other
password, defined in the config file.  it also uses cookies to pass the
auth strings back and forth - a somewhat better option, IMHO, because
cookies can be set to time out.


person goes to the login page, which clears the auth cookie.
person logs in w/username and password.

script fetches md5'd password from db keyed on username
if md5(submitted password) !=  password stored in db
   sorry!  try again
else
   set auth cookie = username . '_' . md5(username . serverkey . md5'd
                                          password) 	
   forward user to main page

then, for each page, instead of checking username and password,

($user, $hash) = split('_', auth cookie, 2)
fetch password from db keyed on username
if (md5(username . serverkey . password) == $hash)
  grant access
else
  kick 'em out to login page


so there are three sets of credentials here - the username/password that
the scripts use to connect to the db, the server secret key used to
generate the md5 hash, and the username/password that the user knows.

make sense?



-- 
Frank Sweetser rasmusin at wpi.edu, fs at suave.net
Full-time WPI Network Tech, Part time Linux/Perl guy
What about WRITING it first and rationalizing it afterwords?  :-)
             -- Larry Wall in <8162@jpl-devvax.JPL.NASA.GOV>

-------------------------------------
LANdb - Network Management through SQL
To unsubscribe, send email to landb-request@avenir.dhs.org
	and put 'unsubscribe' in the subject line
Administrative contact: weez@avenir.dhs.org
-------------------------------------