Article delegate-en/3051 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to authenticate admins by other means than identd or ftp ?
11 Aug 2005 09:15:04 GMT Armin Wies <>

Hi Yutaka,

thank you for your reply. wrote:
> In message <_A3047@delegate-en.ML_> on 08/10/05(00:15:25)
> you Armin Wies <> wrote:
>  |Is there a way how I can authenticate admins (using the web-gui
>  |http://mydelegatserver:port/-/admin for a HTTP-server) by ADS,
>  |TACACS+, or maybe system users of mydelegateserver ?
>  |
>  |I tried using httpam, but could not get this to work...
> If your host of DeleGate runs FTP server, then you can use it for the
> authentication with an AUTH parameter as this:
>   AUTH="admin:*:dgadmin@localhost"

OK, I've set up a ftp-server in order to test this. One can minimize the security risk when binding the ftp-server to the loopback-interface.
But anyway, isn't it a  bit strange to set up a ftp-server just to do authentication for an admin-account of a proxy-server ?

My question was, are there any other ways (apart from ident) how authentication can be done.

>  |Maybe this is trivial, but I have not found out.
>  |
>  |Another issue: Is there a way how the admin-gui can be secured using
>  |SSL ? (And to disable http://mydelegatserver:port/-/admin ?)
>  |I don't like anybody sniffing my passwords on unencrypted connections.
> You can make your DeleGate use SSL optionally when it detected SSL on
> the client-side connection, as this:
>   STLS=-fcl
> So the simplest solution for your requirment with proxy HTTP-DeleGate can
> be like this:
>   delegated -P8080 SERVER=http STLS=-fcl AUTH="admin:*:dgamin@localhost"
>   admin-URL: https://DeleGateHost:8080/-/admin/

But this just adds SSL-support to the admin-pages, still you have the option to use them without SSL.
Is there a way how you can get rid of the unsecured admin-interface, or how to get rid of the admin-web-interface at all ?

> I think "AUTH=admin" should have been obsoleted when "AUTHORIZER" parameter
> was introduced, especially when Digest-Authentication is introduced.
> Since we can easily use SSL, Digest-Aughentication, or PAM in DeleGate, 
> it might be the good time to do so.

Well, in fact I don't understand too well how authentication issues are handled in DG.
I've read the AUTH and AUTHORIZER-sections of the manual dozens of times, but yet I don't understand wether I can use them synonymously or use one as an addition to the other. I'd highly appreciate some clarification in the manual.
I think that more examples could be of great help too...

(This is just meant as a feedback: The manual is sometimes hard to understand, especialy when it comes to interaction of parameters. I'd be glad to give suggestions how to improve the manual, but yet I don't understand the issues myself)

I see that DG is like a swiss army knife when it comes to proxying. I realy like the way how resources can be mounted and translated into different protocols, I realy like the amount of protocols it understands (miles ahead of anything else I've ssen). I'm realy keen on using it in my productive environment, but I am highly depending on authentication mechanisms.

I'd be very glad if you could give me some hints of how the concept of authentication works, and which possibilities of authentication there are.

Domo arigato gozaimas  :-)

Best regards,

Armin Wies 
Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle 
Freunde gleichzeitig schicken:

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]