Help Request: Creating Single-Signon procedure

ESmith · elokuu 13, 2013, 03:17:47 IP

Hi folks,

Is there a procedure for authenticating an SMF member's login outside of SMF? I have software written in Perl that I'd like to modify to be able to use our SMF member system for login authentication.

Thanks!

emanuele · elokuu 13, 2013, 05:04:02 IP

Assuming your perl script has access to the database (and maybe to Settings.php, but that's not absolutely necessary), you should be able to both verify if the user is logged in (reading the cookie) and/or verify the user's password (querying the db) and set the cookie when signing on through the perl script.

There may be better approaches that I don't know...

ESmith · elokuu 13, 2013, 07:09:06 IP

Hi, thank you for your reply.

I can grab the cookie and get the info associated with it from the database, but I'm unfamiliar with how I would need to process their prompted login info to compare to the database.

Perl has a Digest::SHA module and looking at the SMF code I thought I could take their raw pwd ( from the login prompt ) and then apply a sha1_base64 to get to the same pwd that is stored in the databse, but when I tested it with my own password the results were inconsistent.

Does anyone know somebody that has tried this using Perl's available library modules?

Thank you!

Arantor · elokuu 14, 2013, 03:55:00 AP

That's the thing, it's not just the raw password that you have to work with, it's also the username.

The method of storing passwords in SMF is SHA1(strtolower(username) . password) and I sincerely doubt that Perl's equivalent of strtolower works in the same way for non English characters.

emanuele · elokuu 14, 2013, 05:16:40 AP

Lainaus käyttäjältä: Arantor - elokuu 14, 2013, 03:55:00 AP
That's the thing, it's not just the raw password that you have to work with, it's also the username.

And the salt if you are comparing with the one stored in the cookie.

Lainaus käyttäjältä: Arantor - elokuu 14, 2013, 03:55:00 AP
I sincerely doubt that Perl's equivalent of strtolower works in the same way for non English characters.

That could really be a problem.
It's a long while I don't touch perl... (and I was not very good at the time too, even though I liked it lol)

Arantor · elokuu 14, 2013, 04:28:16 IP

Oh and don't forget that the case folding is also character-set dependent too.

ESmith · elokuu 14, 2013, 05:04:51 IP

Ahh, wow, thats alot to think about ...

Well, as an alternative approach I am also considering adding a new routine to SSI.php which simulates the entire login process but instead of dropping the user off into the forum index it would redirect to an outside script and provide the id_member associated with their account (or set that as a cookie), which can then be used by the other system for associating them with their data thats located outside of SMF.

I know its not ideal but do you think it leaves too much of a hole that could be exploited?

Thanks for all of your insight, much appreciated!

Arantor · elokuu 14, 2013, 05:08:06 IP

Too much of a hole? Where security is concerned, ANY hole is too big a hole. I foresee your example there being a very easy way to spoof accounts.

emanuele · elokuu 15, 2013, 05:28:50 AP

...mmm... there is integrate_login that may be of help (the user is already almost logged in, you'd just need to fetch (again) the salt from the db and setup your cookie for the perl application).

ESmith · elokuu 16, 2013, 03:33:54 IP

Thanks everyone, gave me alot to think about and it looks like using the existing SMF cookie for authentication purposes is the only safe way to go...

I appreciate all of your help and guiding me away from creating a big security hole in the system.

Simple Machines Community Forum

Uutiset:

Help Request: Creating Single-Signon procedure

ESmith

emanuele

ESmith

Arantor

emanuele

Arantor

ESmith

Arantor

emanuele

ESmith