Alternate login system - Security

This is a discussion on Alternate login system - Security ; I am working on a photo archive system for my school newspaper. I would like to offer users the ability to upload files via SCP, but I don't want people to have full shell access, nor access to the files ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Alternate login system

  1. Alternate login system

    I am working on a photo archive system for my school newspaper. I would
    like to offer users the ability to upload files via SCP, but I don't
    want people to have full shell access, nor access to the files of other
    users.

    Ideally, user "bud" would login using his normal account info and be
    chroot jailed into his own personal upload directory. He would then
    "claim" any photos with a web interface, importing them into the system.

    I could normally accomplish this with SSH + the chroot patch, but that
    requires that each user have his/her own account on the Linux box. Is it
    possible to have Linux use MySQL or a PHP/Perl script as a driver for
    the login system, requesting login credentials from that script rather
    than the usual /etc/passwd method?

    Otherwise, is there a better way to accomplish what I've described?

    --
    eth'nT

  2. Re: Alternate login system

    Ethan Trewhitt wrote:
    > I am working on a photo archive system for my school newspaper [...]


    > Ideally, user "bud" would login using his normal account info and be
    > chroot jailed into his own personal upload directory. He would then
    > "claim" any photos with a web interface, importing them into the system.


    Why not allow users to upload the photos using this same web interface?
    Your users are not going to uploading more than one or two photos in a
    session, are they?

    Chris

  3. Re: Alternate login system

    Chris Davies wrote:
    > Why not allow users to upload the photos using this same web interface?
    > Your users are not going to uploading more than one or two photos in a
    > session, are they?


    Users will be uploading 10's of MB of photos, at full resolution. HTTP
    upload is currently offered, but even on slower broadband connections
    this is pretty slow. HTTP offers very little status about the progress
    of an upload and doesn't support resuming.

    --
    eth'nT
    http://www.hydrous.net
    aim: courtarro

  4. Re: Alternate login system

    Could you offload the authentication to an LDAP server? That way you
    could still use the chroot patch without having to manage a separate
    authentication mechanism. PAM must be used for this to work though
    (pam_ldap extension).

    OT: Please get Reggie Ball some glasses so he will stop throwing
    interceptions.

    Ethan Trewhitt wrote:
    > I am working on a photo archive system for my school newspaper. I would
    > like to offer users the ability to upload files via SCP, but I don't
    > want people to have full shell access, nor access to the files of other
    > users.
    >
    > Ideally, user "bud" would login using his normal account info and be
    > chroot jailed into his own personal upload directory. He would then
    > "claim" any photos with a web interface, importing them into the system.
    >
    > I could normally accomplish this with SSH + the chroot patch, but that
    > requires that each user have his/her own account on the Linux box. Is it
    > possible to have Linux use MySQL or a PHP/Perl script as a driver for
    > the login system, requesting login credentials from that script rather
    > than the usual /etc/passwd method?
    >
    > Otherwise, is there a better way to accomplish what I've described?
    >


    --
    irish

  5. Re: Alternate login system

    irish wrote:
    > PAM must be used for this to work though
    > (pam_ldap extension).


    Correction: (pam_ldap library).

    I also found this link which may be of help:
    http://www.saas.nsw.edu.au/solutions/ldap-auth-pam.html

    --
    irish

  6. Re: Alternate login system

    Ethan Trewhitt wrote:
    > I am working on a photo archive system for my school newspaper. I would
    > like to offer users the ability to upload files via SCP, but I don't
    > want people to have full shell access, nor access to the files of other
    > users.


    On the creative side, you can use AppArmor to create a shell with
    limited priveledges. Just an option, especially if you use SUSE.

    >
    > Ideally, user "bud" would login using his normal account info and be
    > chroot jailed into his own personal upload directory. He would then
    > "claim" any photos with a web interface, importing them into the system.
    >
    > I could normally accomplish this with SSH + the chroot patch, but that
    > requires that each user have his/her own account on the Linux box. Is it
    > possible to have Linux use MySQL or a PHP/Perl script as a driver for
    > the login system, requesting login credentials from that script rather
    > than the usual /etc/passwd method?


    My soln above assumes the user's have accounts. Certainly you can
    use PAM to authenticate against whatever you want. Another option for
    you to look at.

    >
    > Otherwise, is there a better way to accomplish what I've described?
    >


    Having accounts makes some things easier.... but the PAM idea is
    one way to keep from having to have "normal" user accounts for
    a particular service. Restricting the user somehow after that
    might require a jail or AppArmor though.

  7. Re: Alternate login system

    Chris Cox wrote:
    > Having accounts makes some things easier.... but the PAM idea is
    > one way to keep from having to have "normal" user accounts for
    > a particular service. Restricting the user somehow after that
    > might require a jail or AppArmor though.


    "irish" mentioned the pam_ldap library, and now that I think about it, I
    suppose PAM is the best way to go about this. I have some homework to do
    before I understand fully how PAM works, but it sounds like a step in
    the right direction. Is it possible to create a custom PAM library
    without too much work?

    It might just be easier to write a set of scripts to sync the *nix user
    database with the one stored in MySQL.

    --
    eth'nT
    http://www.hydrous.net
    aim: courtarro

  8. Re: Alternate login system

    irish wrote:
    > Could you offload the authentication to an LDAP server? That way you
    > could still use the chroot patch without having to manage a separate
    > authentication mechanism. PAM must be used for this to work though
    > (pam_ldap extension).


    PAM sounds like a step in the right direction - see my response to Chris
    Cox.

    > OT: Please get Reggie Ball some glasses so he will stop throwing
    > interceptions.


    Haha, I wish I could. He's been the subject of a lot of hate on campus
    this week, so some of us are trying to get a bit more support for him
    going into the ACC tourney. He did, after all, get us this far. UGA has
    a bad habit of trouncing us in a variety of sports even when we're the
    statistical favorite.

    --
    eth'nT

  9. Re: Alternate login system



    Ethan Trewhitt wrote:
    > I am working on a photo archive system for my school newspaper. I would
    > like to offer users the ability to upload files via SCP, but I don't
    > want people to have full shell access, nor access to the files of other
    > users.
    >

    did you know rbash ( Restricted Shell )

  10. Re: Alternate login system

    Ethan Trewhitt wrote:
    > Chris Cox wrote:
    >>Having accounts makes some things easier.... but the PAM idea is
    >>one way to keep from having to have "normal" user accounts for
    >>a particular service. Restricting the user somehow after that
    >>might require a jail or AppArmor though.

    >
    > "irish" mentioned the pam_ldap library, and now that I think about it, I
    > suppose PAM is the best way to go about this. I have some homework to do
    > before I understand fully how PAM works, but it sounds like a step in
    > the right direction. Is it possible to create a custom PAM library
    > without too much work?
    >
    > It might just be easier to write a set of scripts to sync the *nix user
    > database with the one stored in MySQL.
    >


    It's not hard to create your own.. you might want to look at the ones
    out there already.. you may be able to use it without mods... or at
    least use it as a baseline for your own custom mods.

+ Reply to Thread