On Tue, 23 Oct 2001, Paul D. Robertson wrote: > On Tue, 23 Oct 2001, David Lang wrote: > > > the other though I've had on this (but haven't taken the time to pursue) > > is if openssh can be configured to use PAM then it may be possible to use > > a PAM module to do the token c/r. > > I dunno about challenge/response tokens, I've used a PAM Raduis > authenticator to auth SSH under Linux, and the module was either supposed > to run on Solaris, or not too difficult to get there if you're using > SecureID and willing to let the ACE server do RADIUS. > > > and I'm not saying it's the right thing to use as a companies internet > > firewall either :-) I primarily use it for internal firewalls where I want > > the strong authentication it provides (for services that support it) and > > If you're not doing strong auth, or you want to have some fun writing > code, Apache's mod_proxy can be made to auth proxy requests- I never had > much luck getting a clean-looking content filtering mechanism grafted on > though, and one-time tokens like Secure-ID took more effort than it was > worth (Couldn't ever figure out if I could do cookies to the proxy server > and building a seperate credential caching daemon seemed way more trouble > than talking our firewall reseller into an Enterprise license ;) )
doing strong authentication for http/https is far from simple. > > I would say that I wished that someone else would come up with a set of > > proxies and a authentication engine similar to what the FWTK provides, but > > I guess the job it does is simple and complete enough (again within it's > > limits) that there's not enough reason for anyone to reinvent the wheel. > > There are some proxy projects around- I'm not sure how strong any of the > auth stuff is though. These days you can almost get away with just > supporting http/https though. only if what you are trying to support is internet access, for internal firewalls you end up needing a lot more. David Lang _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
