Re: [PHP] MAC address user recognition?

Fri, 21 Feb 2003 01:00:22 -0800 

At 06:28 21.02.2003, Chris Cook said:
--------------------[snip]--------------------
>I have used MAC address authentication using the arp table and it worked for 
>what I used it for, but it does only work over the local network and 
>spoofing is an issue. Using a cookie in conjuction with a MAC address helps 
>the authentication, but it sounds like SSL is the way to go...
>
>Does anyone have any suggestions on where to start learning SSL?
--------------------[snip]-------------------- 

Homepage of modssl:
http://www.modssl.org/

I have successfully set up a site using SSL and a client certificate.
Apache is configured to require a client certificate, however you could
easily modify this to have it optional, and perform some legal action if
the CS is missing or invalid.

Apache configuration (anonymized):

<VirtualHost 1.2.3.4:443>
    ServerName myhost.com
    DocumentRoot "/etc/httpd/home/myhost.com"

    SSLEngine on
    # this is the server certificate and key
    SSLCertificateFile /etc/httpd/certs/myhost.com.crt
    SSLCertificateKeyFile /etc/httpd/certs/myhost.com.key

    # Client certificate handling
    SSLVerifyClient require    # may use "Optional" as keyword
    SSLVerifyDepth 10
    SSLCACertificateFile /etc/httpd/certs/myhost.com.ca.crt
    SSLOptions +StdEnvVars +CompatEnvVars +FakeBasicAuth
</VirtualHost>

In PHP, I check:

    $cacert_ou = $_SERVER['SSL_CLIENT_S_DN_OU'];
    $cacert_em = $_SERVER['SSL_CLIENT_S_DN_Email'];

    if (!empty($cacert_ou) && !empty($cacert_em)) {
        // valid certificate - login the user
    }
    else {
        // no or invalid certificate (not an option here)
    }

The client certificate is set up in a way that the "OU" property
(organizational unit) holds the company identifier of the user, and the
"Email" property holds the user identifier. This is how my client generates
the certificates, I have to live with that.

In your case you could easily create your certificates to:
1 - not be password protected so anyone on the machine can transmit it
2 - have a unique topekn per machine in one of its properties (OU, for
example).

HTH,

-- 
   >O     Ernest E. Vogelsinger
   (\)    ICQ #13394035
    ^     http://www.vogelsinger.at/



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to