Skip to content

Providing temporary password access over http

November 16, 2012

I’m not exactly proud about this one in many regards (security, for instance) by was actually something needed by a relative that, from time to time, go to some random shop to print PDFs. Having to put them on a device like a USB Key or hard disk is some kind of a nuisance, especially when your own workstation is behind a static IP.

The way it works is that it asks you for a password. If you have none, then it’ll send you a random one by mail. This password will be erased after an hour.

Security notes: this could be subject to packet sniffing so I don’t suggest to use it as it is for any sensitive data. It can easily be improved in regards of security depending on the end user you’re targetting, in my case it had to remain as basic as possible. It logs everything so fail2ban and other tools can easily be set in motion.

It’s composed a perl script, a cronjob and a nginx example config file. The perl script will ask the user for a valid user name and set up the temporary access accordingly. The cronjob will be used to reset passwords. The sample nginx shows how to run the perl script as appropriate error page and provided access either by basic auth or IP.

Install guide from the README :

1) It assumes your nginx supports perl like in
http://nginxlibrary.com/perl-fastcgi/:

apt-get install nginx libfcgi-perl wget
wget http://nginxlibrary.com/downloads/perl-fcgi/fastcgi-wrapper -O /usr/bin/fastcgi-wrapper.pl
wget http://nginxlibrary.com/downloads/perl-fcgi/perl-fcgi -O /etc/init.d/perl-fcgi
chmod +x /usr/bin/fastcgi-wrapper.pl
chmod +x /etc/init.d/perl-fcgi
update-rc.d perl-fcgi defaults
insserv perl-fcgi

2) Copy and edit the nginx sample and crontab sample into the appropriate places:
- something like /etc/nginx/site-available/transit symlinked to /etc/nginx/site-enabled
- /etc/cron.d/transit

3) Then you must create a group named transit and add to it users that
are entitled to use this.

4) You must also make sure nginx (www-data?) can write to the directory where
you store the .passwd file. In the default case here, it’s /etc/nginx/passwd/

From → Networking, Sysadmin

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: