Ask MetaFilter questions tagged with authentication

iPhone RSS reader that supports SSL and authentication?

aberrant — Sun, 30 Aug 2009 15:33:06 -0800

Anyone know of an RSS reader for iPhone that supports SSL and authentication, and does NOT use an online aggregator? I need an iPhone RSS reader that will handle SSL and authenticated feeds, but it can't use an aggregator (the feed credentials must stay on the iPhone). I've been searching for a while and haven't come up with anything. Anyone come across such an application?

I don't want to Twitter, you twat

educatedslacker — Sun, 12 Jul 2009 17:42:34 -0800

Doesn't Twitter authenticate email addresses when people sign up for new accounts? I was away from my computer for a while today, and when I came back to my email, someone had created a Twitter account using MY email address and started adding/receiving contacts (followers, whatever).

I reset the password and then deleted the account. Moments later I got a request to restore the account.

So Twitter, one of the most popular sites on the whole interwebs (but of which I am NOT a member), really lets people just sign up any email address and start posting immediately without verification of that email address? Doesn't that seem... I don't know... like a terrible idea?

Has anyone else ever dealt with this?

SSL Client Certificates

banshee — Fri, 15 May 2009 08:45:51 -0800

Please help a noob with client-side SSL certificates. What is the process for generating SSL client certs? What kind of information is needed? Who generates them? I have a web server SSL cert installed (IIS), when users try to connect they are prompted to choose their client certificate from a list. (This is the behavior I want). The web server SSL certificate was issued by Entrust.net

WordPress 2.7 and Angsuman’s Authenticated WordPress Plugin

sindark — Tue, 16 Dec 2008 20:10:15 -0800

On one of my WordPress hosted blogs, I previously used Angsuman’s Authenticated WordPress Plugin to restrict access to registered users. After upgrading to WordPress 2.7, the plugin doesn't work anymore. It won't let anybody log in, trapping people in a constant loop of entering (correct) passwords and being returned to the login screen. Does anybody know:

(a) how to alter the plugin so it works with 2.7. I don't want to shell out US$30 for 'Authenticator Plugin Pro' when only about ten people access the site in question.

(b) of another plugin that does the same thing - blocks off a WordPress site to everyone other than registered users with passwords.

Many thanks.

What do i do with all these RSA tokens?

bartleby — Mon, 15 Dec 2008 12:31:24 -0800

I just had a bunch of RSA tokens land in my lap. What's required on the other end of an RSA authentication scheme, and what's a good resource for learning what's necessary to implement it? So we got a mess of these IronKey secure flash drives.

They came with an add-on I hadn't expected - each one has an RSA token generator (software, not hardware) included.

I'd like to roll them into our system, especially to harden access for a Terminal Server. (It's an all-Windows shop.)

But where to get started? New to me, and I'm looking for information about what's involved in implementation, with a focus on doing it yourself or on the cheap.

Authenticate with one domain, authorize with another.

adipocere — Tue, 18 Nov 2008 07:19:51 -0800

In Active Directory, is it possible to direct the act of authenticating a user to one domain, but the subsequent authorization of that user to be handled by another? Situation: For political, non-technical, and unchangable reasons, the users in our domain (Domain A), must now instead authenticate against Domain B. They are not in a forest together.

We retain control of the machines in Domain A. Domain A will still be used for management of machines, and possibly for authorization if we can find a way to pull it off.

Domain B will contain the users, just a giant mass of identities not separated into OUs. We will have no ability to put these users into groups or otherwise administer to Domain B. Account provisioning, some very light information, and password management is handled via Domain B.

Due to a number of vendor issues, we must put all of our users in a single domain (many of these particular applications can only look at one domain for authentication). Therefore, these users go into Domain B. You know, the domain without OUs or groups we can touch.

This means that in our area, our machines will be in Domain A, but the users will be logging in to the machine using Domain B.

Problem #1: We won't be able to put users into groups within Domain B, but almost all of the security in our various applications depends on group assignments. If we could separate authentication from authorization, users could log on to Domain B, but determining what groups, etc., could come from Domain A.

Problem #2: Domain B will not support roaming profiles, but a subset of our users (in a group in Domain A, not an OU, but that could change) need roaming profiles. We want to give users roaming profiles when they're logged onto our machines. Ideally, we'd like to be able to work it such that the roaming profiles are only triggered for the aforementioned group, perhaps pulling said profiles from Domain A.

Problem #1 is more important that Problem #2. I'm at a loss as to where to start with this, as I'm not really an Active Directory person, aside from the ability to manipulate it programmatically. Yes, I am aware that this scenario does not seem like a particularly great idea on the face of it. I'm just looking for technical solutions to what appears to be a technical problem generated by political issues.

Avenues Already Explored:
* Active Directory Federated Services isn't appropriate, as it is web-only.
* Dual sets of accounts could almost work, except for Domain B controlling the passwords.
* Dropping my jaw and blinking cluelessly has also not been effective.

What's the best practice for authenticating Google's crawlers?

futility closet — Wed, 17 Sep 2008 10:27:47 -0800

I manage a website. Some content requires authentication by password or IP. I want Google to crawl that content but not cache it, so that Google users can find it in searches but can't access it without authentication. What's the best way to do this? In 2006 Matt Cutts recommended doing a reverse DNS lookup to verify that a bot's name is in the googlebot.com domain, and then a forward DNS->IP lookup using that googlebot.com name (to thwart spoofers). Is that still the best solution? How do other people manage this?

Can I combine htaccess and session variables from other systems?

jpoulos — Wed, 23 Jul 2008 10:03:34 -0800

Web server question. Can I combine htaccess and session variables from other systems? (more inside) OK, bear with me here--I'm a page developer, not a server admin. I've got an apache system that uses htaccess and a .db file to grant access to particular directories. I've also got a set of users who aren't in the .db file, but will be logging in to another system (salesforce.com) and trying to access those restricted areas. Is there a way to allow the first set of users to continue logging in as always, but to allow a session variable that is established on the salesforce.com site to be passed, allowing this second set of users to access the area without having to log in again?

How do I access the internet through an ISA Server proxy?

mr_silver — Thu, 19 Jun 2008 11:15:31 -0800

I have an application installed on my PC at work that needs to connect to the internet through our ISA Server. The problem it has is that it can't connect directly unless I put in proxy settings. The problem that I have is that the proxy setting is just one long URL with no username or password. How can I get this application to connect? Whenever I connect to the internet with a browser (IE and Firefox) on the work computer (Windows XP) I need to use http://isa.uk.mycompany.com:8080/array.dll?Get.Routing.Script as the automatic proxy configuration URL in the preferences otherwise it refuses to connect.

The application I want to connect to the internet uses HTTP and gives me three options for the proxy: "use default", "direct" and "named proxy". "Use default" and "direct" don't work.

"Named proxy" requires me to enter a proxy server, username and password. I'm guessing that my windows username and password would be for the latter two, but I have no idea what to put for the proxy server.

I've tried putting the long URL in, but that doesn't work. The problem appears to be that it is expecting a server name, not a port number and certainly not a path to a script.

I tried pasting the URL into a browser and it downloaded what looked to be about 300 lines of VB Script. There was nothing in there that gave me much of a clue on what I should use. I also tried running the VB script from the command line but nothing was outputted.

Can anyone offer any insights into what I need to do to work out what the proxy server name would be? Failing that, what else can I do?

Is more simple bank web security better?

rongorongo — Fri, 06 Jun 2008 06:22:15 -0800

I have noticed that there seems to be a split between some banks/financial institutions who maintain complex security around their on-line account access and others who seem to have actively migrated towards a much simpler approach. Is there any evidence that the "simple" approach is either more or less secure than the "complex" one? By "complex" I am talking about institutions that ask their users to memorise several passwords and then ask for one or two of these at random on login. There is also a likelihood that use might be tied to a particular PC with a physical token or a cookie. An additional one-time access code may be required. By "simple" I am talking about cases where users are asked something like "enter characters x, y and z from your password" - and perhaps for one other fixed detail. Users are also able to log in from pretty much any PC they choose.

My guess is that the latter group has lower support costs and less frustrated users. But are there real world difference in the security levels?

How do you set up pub key auth for Dreamweaver's sftp client on a windows box?

jj27 — Thu, 24 Jan 2008 09:27:28 -0800

How do you set up pub key auth for Dreamweaver's sftp client on a windows box? I have clients who want to connect to a unix webserver, that is running openssh, from Dreamweaver's sftp client on a windows box using only public key authentication. Is this possible using Dreamweaver's internal sftp client?

Authentication across Windows, Linux, and Mac

remi — Fri, 11 Jan 2008 06:22:57 -0800

How do you use a single authentication system for different kind of servers, systems, and workstations? We're a small Web development business of less than 20 employees. Currently, we have three local servers:

Server A, using Windows Server 2003, is the "main" server for putting all of our document (including financial data) and most of our projects. For development and testing, we also host Web sites there which require a Windows server, ASP and MS SQL. It's also our main DHCP and DNS server.

Server B, Fedora Core 6, is mainly for hosting projects requiring Linux, PHP or ColdFusion, and MySQL. It's the backup DHCP and DNS server.

Server C, Windows Sever 2003 Web Edition, is for hosting projects requiring ColdFusion and Windows.

We have various kinds of workstations at the office: Windows XP, Windows Vista, Ubuntu, Fedora, and Mac OS X 10.4.

Our biggest annoyance at the moment is authentication. Every employee has a different account for everything. Windows file shares, Linux file shares, Linux shell accounts, MySQL, MS SQL...

Server A already has Active Directory set up, though I'm not too familiar with it. (I'm more of a Linux system administrator.) I tried some ways to combine all one employee's accounts together, but it just won't work. One of the ways I tried was to set up PAM on server B to use LDAP or other mechanisms supposedly supported by the server A, but it doesn't work.

Now, I'm wondering, are there any methods to make the authentication process of every service work together?

I'm not even sure where to start to set this all up. Any suggestions will be appreciated! Thanks in advance!

RADIUS without realms?

doomtop — Wed, 14 Nov 2007 09:15:04 -0800

RADIUS without realms? I have been searching for a solution to this, to no avail. We are using RADIUS to authenticate users for network access using login name/password and @realm.

I would like to do away from the @realm completely, however we use two different RADIUS servers. Which server a user authenticate is currently determined by a RADIUS proxy server using the users @realm.

Is there a way to forward RADIUS requests to the appropriate RADIUS server based on the client IP address?

Or is there a way for a RADIUS proxy to query one server, and not getting a positive response, then query the other server?

Smart Cards for Windows Login?

CrayDrygu — Fri, 21 Sep 2007 09:00:22 -0800

Help me figure out Smart Cards! I work for the IT department of a company looking to use smart cards for Windows domain login. Windows (XP/2003) has built-in support for several brands of smart card. Great, it should be easy! It's not. It's taken me three days just to find some cards that are both still manufactured, and still supported in Windows. These are the Gemalto (aka Axalto aka Gemplus aka Schlumberger) Cryptoflex for Windows XP, and the Gemalto Cryptoflex .Net. But the former isn't supported in Vista (and besides, I can only find one website that sells them anymore, aside from the manufacturer). And the .Net cards are $40 each (the other's $15)!

On top of this, I'm finding it frustratingly difficult to find a USB reader that is both verifiably Plug & Play (I really don't want to install drivers if I don't have to), and is not being sold through a very shady-looking website.

Why is this so difficult? Surely other businesses are using smart cards for login, and not everyone is paying hundreds of dollars per seat for an Enterprise Solution when Windows has built-in support? Or does the built-in support suck so much that an Enterprise Solution is the only realistic option? And if that's the case, well...what's good?

Livejournal authenticated RSS problem

alopez — Sun, 05 Aug 2007 11:57:21 -0800

Livejournal authenticated RSS feeds on Mac OS 10.4.10: why do they keep losing my credentials? May involve Keychain. I have several friends on livejournal who I'd like to read, along with all of my other feeds, using an RSS reader. Subscribing to their friends-only feeds is easy enough, the URL is just http://username.livejournal.com/data/rss?auth=digest. When I add this feed, the RSS reader prompts for my livejournal userid and password on the first refresh of the feed. At this point, the credentials are stored in my keychain and the newsreader should access it whenever it refreshes the feed. However, usually after a couple of days, the credentials are lost, and the RSS reader prompts for the username and password again. This is really irritating since it does this for half a dozen feeds. Some specifics:

I don't have any other authenticated feeds, so I don't know if this is livejournal-specific or a more general problem.
I have tried three newsreaders: Shrook, Vienna, and NetNewswire Lite. They all have the same problem.
At least with NNWL, I know that the credentials are stored in my keychain as an internet login (one for each feed). When I first authenticate, I can check in Keychain Access to see if the login is stored there, and indeed it is. When NNWL starts prompting me again, I look in Keychain Access again and the login is GONE! Why would that happen? No other credentials are lost from my Keychain, and when I run Keychain First Aid, it reports no problems.

Please, please tell me YAAL.

mdonley — Fri, 27 Jul 2007 13:20:47 -0800

I have a question about the authentication of a Cambridge University-issued document by a California lawyer or notary for use in Latvia. I am moving to Latvia at the end of August to teach English. My teaching certificate, the CELTA, was issued by Cambridge University in England a few years ago. Upon being hired by the school in Latvia, its director sent me an email saying "it would be useful if you could start looking into the process of getting your CELTA accredited by a notary or lawyer and either sending it to us or bringing it with you."

I'm rather confused as to how to go about this, as the school's director is British, and I know that notaries in Britain have totally different powers to those in the States - hence his "or" with "notary or lawyer"; presumably he thinks they're similar. Now, Cambridge offers a service where I pay them some amount of money, and they authenticate my results and send that to me or to the school, but I don't know if that will be the same, legally, as getting something official, if that's even possible here. I've seen references to apostilles, but only in reference to public documents like birth and death certificates, not academic results, let alone those issued abroad.

I would ask the director to clarify, but he's on vacation and basically unreachable until a few weeks before I get there, and if I choose to go with the Cambridge certification of my results, I'd need to allow enough time for it to get here so I can present it to an immigration officer or something should I be asked to do so.

I also realize there are probably very few MeFites who've ever had anything to do with Latvia, so my main question is: how can I prove the authenticity of a document issued in another country in a way that will satisfy officials somewhere else? Or might this be a two-step process - first getting the certification from Cambridge sent to me, and then having a notary or lawyer in Britain (where I could theoretically stop en route to Latvia) accredit the certification?

Thanks for your help, if anyone dares to respond to such a bizarrely technical question.

What's the Secret Password?

kaizen — Fri, 27 Apr 2007 16:51:36 -0800

How exactly does authentication work in a website like Basecamp, or more generally, a site built on Rails or LAMP. When I sign-up, I enter a username and password. I presume this is stored in a database table. But after that, how does the server know who I am during the course of my 'visits' and how does the SQL database know what I have access to ( only my projects ) and what I don't have access to ( Other peoples projects)? Where do cookies, if at all, come into play. If cookies do come into play, can they not simply be forged? I am completely clueless regarding the subtleties of authentication, user sessions, and security. Please enlighten me.

How do you access MS Access in a different domain?

chill — Thu, 15 Mar 2007 07:50:17 -0800

I'm trying to get my head around some Microsoft Access security issues, and could use some help. My company has a website (on IIS6). A portion of that website (written in ASP), pulls data from a Microsoft Access database, located on the same server.

The ASP web site is now moving to a data centre, to a server in a different Active Directory domain (no trust yet exists between the two domains), but the Access database has to stay where it is (other applications reference it).

Previously, the "anonymous access" internet account had permission to read/write to the Microsoft Access database. But now the "anonymous access" account is in a different AD domain, and as such can't be granted read/write access to the Access file (unless I'm very much mistaken).

So, my question is - what is the quickest/simplest way to grant the ASP application access to the Microsoft Access file? Is there someway I can specify the Active Directory account to authenticate as in the connection string or something?

Thanks.

How is Google giving me access to this page?

alms — Wed, 27 Dec 2006 14:29:00 -0800

How come if I search for this page and click on the Google link I get to the page, but if I copy the link that Google gives me and try to access it directly, I'm taken to a login page? What I really want is to be able to e-mail this link to people, or include it in a fpp on the blue.

Why a two-step login?

smackfu — Sun, 20 Aug 2006 09:15:51 -0800

Why are many financial institutions moving to a two-step login process, where you enter your username on one page and then your password on the next? For instance, Vanguard and ING. Their rationale is just that it's "more secure", but that's not much of a reason.

Salvador Dali Paintings Authentic?

lutzla23 — Fri, 21 Apr 2006 12:52:06 -0800

I have two paintings signed by Salvador Dali I am in the process in having them authenticated as legit or copies. To possibly save some resources I would like to do background on the paintings, but I am unable to find any information, any suggestions? Recently I found these two paintings that belong to an older family member. They are both signed by “Salvador Dali” and have the representation of his surrealism work. I know enough about Dali and art to know that there have been many fakes produced for this artist. However, these paintings are signed and dated, have physical texture, and they are on canvas, I would believe to be hard to reproduce in a copy.
I am unable to read the date as the frame covers most of it, because I am not an expert I do not feel comfortable removing the frame.
Both paintings are also signed “Orican”, I have tried searching for these word but was unable to find any reference or information.
Mostly the likeness of the paintings is all I have to search on.
Before I spend the time and resources to have it shipped to a curator and/or authenticator I would like to do some preliminary research to see if I can’t find more information.

If anyone has any suggestions of sites, easily accessible reading material, or even has knowledge, I would greatly appreciate it!

PHP Security

MetaMonkey — Thu, 30 Mar 2006 23:36:28 -0800

I’m working on a PHP/MySQL app and would like to ensure my security is up to scratch – need tips on authentication, globals and input sanitization. My current method of authenticating users is a simple MySQL username/password lookup, then storing their state with a session and a required cookie (which stores only the session id). To prevent fixation I am using session_regenerate_id whenever necessary. Am I missing anything?

Register globals is on by default. I am not using globals, and I am trying to define all variables before use. Am I safe? Can global hacks affect my sessions?

My current method of input sanitization is:

1. strip < ,>, ‘\r’ and ‘\n’ to prevent scripting attacks
2. convert everything to entities
3. escape anything left with mySQL_real_escape

Is this sufficient to protect against any/all injection/xss attacks?

PHP Security is giving me a big headache, and I keep feeling like I’m missing something important. Any tips, corrections, best practices or links would be very much appreciated.

Permissions in PHP webapps without headaches?

SpecialK — Mon, 06 Mar 2006 15:03:23 -0800

Best practices for managing massive permission systems for a giant home-brewed PHP CMS? I'm in a job that has a web CMS with a frontend and backend that has grown up over the years. User permissions are currently done with a mostly randomly assigned number on a one-to-one with username that relates back to a set of permissions.

I'd like to move to something that's a lot more customizeable, and doesn't force us to grant such large swaths of permissions.

However, there's literally going to be 400 permissions for the site due to the need to extensively silo content. Is there an easier way to set things up? What best practices have been found in other situations for applications this large, and has anything been written about retrofitting this kind of functionality into an existing large application?

Captive Portal with auth - help?

bystander — Thu, 22 Sep 2005 05:26:05 -0800

Captive Portals. I'd like one. I want it to work with a WRT54G, connected to a DSL line. I'd like a login screen that looks up an auth database (probably RADIUS, but not definite) and I would like the whole auth infrastructure to be centralised, so I don't need anything but the wireless router on the end of the DSL line. I want to have multiple DSL lines sharing the auth infratructure. I want to control access, so only users with existing credentials gain access (not anyone like wifidog).
Cheap or free is good.
I'm not the brains of the operation, but I think I can understand the answers, any recommendations?

Security Cluelessness

ChrisR — Sun, 11 Sep 2005 22:00:00 -0800

I'd like to get a handle on computer security. Where should I start? I'd like to stress that I am NOT talking about spyware and viruses here, but the more interesting things like authentication and authorization. At work, I've had to get up to speed on a great number of things, but so far the new aspects of my experience haven't intersected the security aspects of the business. I'd like to know more before they do, and in support of that I want some advice on how to learn it.

I'm talking about (for example only!) JAAS, X.501 (?), SAML, et al. Where do they fit in, what is a complete system made up of, what are some relative merits, et al. Something not flat-out entry level (ie: Computer Security for Dummies) but rather an introduction for someone who knows how to program in a serious way, but doesn't know a damned thing about these beasties.

I'd prefer a book, if at all possible, although web sites are welcome as well.