Skip to main content
Welcome guest. | Register | Login | Post

how to write a secure login form?

3 replies [Last post]
tbuitenh's picture
Offline
Joined: 2005-12-21

I don't want to send the password in plaintext, I don't want to store the password in plaintext on the server, and I also don't want to use SSL. Now how do I verify passwords?

A) If I store a hash of the password on the server, the client must send the password in plaintext, so the server can generate a hash of it to compare with the information it has. Of course I can't let the client send a hashed password, since that means the hashed password on the server actually becomes a plaintext password!

B) I could let the server send the client a random string, which the client then combines with the password and generates a hash of this combination, which is sent back to the server. However, the server can only check this if it also has the password in plaintext (to execute the same steps as the client, then compare the results). Also, the password needs to be sent in plaintext when the account is created.

C) Use RSA signatures, but (1) this is overkill, and (2) I don't think working with huge primes in client-side javascript is going to be pretty.

D) Like A, but use public/private key cryptography to make sure only the server can read the password. Again, huge primes and javascript.....

Does anyone have better ideas?

tbuitenh's picture
Offline
Joined: 2005-12-21
I'm stupid. I thought SSL

I'm stupid. I thought SSL certificates should always be bought from certificate authorities. Not so, you can create a self-signed one. SSL it shall be.

supermike's picture
Offline
Joined: 2006-02-17
Yeah, you can self-sign

Yeah, you can self-sign pretty easily. I have an ancient RH9 note I wrote for RH9. You can revise it for your particular distro.

First, you're going to need a few things:

1. Install the SSL Module for Apache from Add/Remove Programs under Web Server. It's listed as
"mod_ssl".

2. Install the HTTP control panel from Add/Remove Programs under Server Configuration Tools. It's
listed as "redhat-config-httpd".

Now, turning on Apache SSL on RH9 Linux is fairly easy if you use the "HTTP Server" tool (if you
chose to install it from Add/Remove Programs) in System Settings, Server Settings menu. It updates
Apache automatically for you. Open it and look for Virtual Hosts tab. Then, click Default Virtual
Host and click Edit. Now click on SSL on the left. Click "Enable SSL Support" and click OK, taking
the basic options. Click OK all the way out of this control panel and it will save the settings to
Apache files.

However, it won't work unless you bring down your firewall all the way in the Security Level
control panel. To get around that, unfortunately, you have to edit a line of code and then go back
into Security Level with some new features:

1. su

2. after backing up the following file, edit it:

/usr/share/redhat-config-securitylevel/securitylevel.py

3. look for line 115 which should have this on it:

self.serviceDict = {"DHCP":"dhcp", blah blah...

...it will also wrap around to the next line and that's why the next line begins with and
underscore.

4. Now you need to change this line. The line ends with a comma, so add this entry, replacing
"<space>" by hitting your spacebar once:

<space>"WWW (HTTPS)":"https",

...while you're at it, if you want to open up NFS through your firewall, add:

<space>"NFS":"nfs",

...and anything you want to expose that also has an entry in /etc/services, you can do that too by
this same syntax. However, if you have an exclusive port that you service from your server, and it
doesn't have an entry in /etc/services, then you need to add it to the bottom of /etc/services in
the same format as the other port definitions, and you then need to add it sort of like:

<space>"MYSERVICE":"myservice",

...replacing MYSERVICE and myservice with what you put in your /etc/services file at the bottom.

5. Now you are ready to save this file and open the Security Level control panel. Voila! You now
have new entries there for HTTPS, thereby enabling SSL. If you check it and click OK, it will ask
to save. When it saves, you may or may not have to bounce your httpd daemon (Apache Web Server) in
Services Control Panel. (I forgot.) If you're wondering what two files this updates, they are:

/etc/sysconfig/iptables
/etc/sysconfig/redhat-config-security-level

This should work as is, but if you want to set up certificates, either new self-signed ones or
signed through a certificate provider like Thawte, you should contact a seasoned Apache expert,
call Red Hat, or expect to pour over some Apache manuals.

Note that on Mozilla, it just works in connecting to the site without a popup. (At least on the RH9
version of Mozilla, it works this way.) However, I noticed on IE6 that it says this is an
unregistered certificate and asks if you want to install it. When I did this on IE6, I could hit
the server with https without it popping up a message every time.

tbuitenh's picture
Offline
Joined: 2005-12-21
archlinux

archlinux /etc/httpd/conf/mod_ssl.txt wrote:

To use apache with SSL you will have to do three things:

1) Edit /etc/conf.d/httpd and set HTTPD_USE_SSL to "yes"

2) Create an ssl key, request, and certificate.

# This generates the cert and key (valid for 3650 days)
# Be sure to enter the FQDN of your apache server as the "Common Name".
openssl req -new -x509 -newkey rsa:1024 -days 3650 \
-keyout server.key -out server.crt
# This will remove the passphrase
openssl rsa -in server.key -out server.key

3) Modify /etc/httpd/conf/ssl.conf to use your new certificate.

SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key

Done! You can start apache with '/etc/rc.d/httpd start'. If it hangs or fails
to start, check the /var/log/httpd/error_log or try running
'/usr/sbin/apachectl startssl' and looking for errors/prompts.

Clarification: when it asks for the "common name", you should enter your hostname (localhost if you're developing and testing on your laptop like me), otherwise firefox will complain about the certificate belonging to someone else than expected.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.