home of the madduck/ blog/
Authorising access for dynamic IPs

Dear lazyweb: for an internal resource, we are currently using IP-based access control, based on the fact that the data themself are not sensitive, but still must not be accessible to everyone.

We are experiencing more and more of a problem with people working from home, from dynamic IPs, and yet, I cannot come up with a good authentication scheme.

The resource contains large files and it's accessed concurrently by many users. Thus, SSL-tunneling to protect the basic HTTP user:pass combination is not really an option. Also, I would prefer if people couldn't share passwords.

I've looked into client certificates, which are supported by most browsers; the trouble here is that we need to access the resource also with applications not supporting client certificates.

So in the end, I am back to IP-based authentication and now looking for a web login tool that can verify user credentials against a flat file, database, or even PAM, and update the .htaccess file accordingly. This way, users could share passwords, but a password would only ever authenticate an IP, not the content.

Do you know of such web login tools, which are not written in PHP?

NP: No-Man / Flowermouth

Update: Ronny Adsetts suggests the use of VPN. That is an option, but again, it sort of requires encryption (or at least tunneling) of large quantities of data, for which we don't have the hardware.

Update: I ended up implementing a very simple solution, which comes close to a hack but actually does exactly what I want in a completely transparent way.

Basically, I wrote a CGI script which would use sed to edit the .htaccess file protecting the resource. The .htaccess file would contain lines such as the following for each authorised person:

#ID: madduck
allow from 1.2.3.4

and the CGI would make use of this structure with the following sed call:

sed -i -re "/^#ID: $REMOTE_USER/{N;s/[[[:digit:].]+$/${REMOTE_ADDR#::ffff:}/}" $FILE

I used another .htaccess file to protect the CGI with basic HTTP authentication, and tunneled it over SSL.

Now, to access http://my.internal.resource, people surf to https://auth.my.internal.resource, get prompted by their browser to authenticate, then cause Apache to invoke the CGI script, which passes the authentication information to sed before issuing a redirect to the actual resource, which is now authorised for the IP from which the user authenticated. That's exactly what I wanted.