简体繁体 English

单个用户的简单网络身份验证

[英]Dead-simple web authentication for a single user

原文 2009-05-13 14:04:35 6 3 python/ security/ authentication/ web-applications

I wrote a small internal web app using (a subset of) pylons . 我使用pylon （的一部分）编写了一个小型内部Web应用程序。 As it turns out, I now need to allow a user to access it from the web. 事实证明，我现在需要允许用户从Web上访问它。 This is not an application that was written to be web facing, and it has a bunch of gaping security holes. 这不是一个面向Web的应用程序，它有很多安全漏洞。

What is the simplest way I can make sure this site is securely available to that user, but no one else? 确保该用户可以安全访问该网站但没有其他人可以使用的最简单方法是什么？

I'm thinking something like apache's simple HTTP authentication, but more secure. 我在想类似apache的简单HTTP身份验证，但更安全。 (Is OpenID a good match?) （OpenID很好吗？）

There is only one user. 只有一个用户。 No need for any user management, not even to change password. 无需任何用户管理，甚至无需更改密码。 Also, I trust the user not to damage the server (it's actually his). 另外，我相信用户不会损坏服务器（实际上是他的服务器）。

If it was for me, I would just keep it behind the firewall and use ssh port forwarding, but I would like to have something simpler for this user. 如果是我的话，我会将其保留在防火墙后面并使用ssh端口转发，但我想为该用户提供一些更简单的方法。

EDIT : Hmm... judging by the answers, this should have been on serverfault. 编辑：嗯...从答案来看，这应该是在serverfault上。 If a moderator is reading this, consider migrating it. 如果主持人正在阅读此内容，请考虑迁移它。

3 个解决方案

如果只有一个用户，则使用证书可能是最简单的。

How about VPN? VPN怎么样？ There should be plenty of user-friendly VPN clients. 应该有许多用户友好的VPN客户端。 He might already be familiar with the technology since many corporations use them to grant workers access to internal network while on the road. 他可能已经熟悉该技术，因为许多公司在旅途中使用它们来授予员工访问内部网络的权限。

Basic HTTP authentication can be bruteforced easily by tools like brutus. 基本的HTTP身份验证可以通过brutus之类的工具轻松实施。 If his ip is static you can allow his ip and deny all others with htaccess. 如果他的IP是静态的，则可以允许他的IP，并使用htaccess拒绝所有其他IP。