how to use the gnupg for authenticated logins
Carl L. Gilbert
Fri Aug 8 23:10:05 2003
On Fri, 2003-08-08 at 14:08, Neil Williams wrote:
> On Thursday 07 Aug 2003 11:40 am, Sharad Sahu wrote:
> > Hi,
> > I want to use the gnupg in a client server environment. Client request=
> > server to create a session for him. Server authenticate the client b=
> As always in Linux, there are alternative methods. Here are just two:
> As previously suggested on this list (From: Eugene Smiley, Date: Thu, 24 =
> 2003 19:18:32 -0400):
> I'd think this could be a simple script. Start with a login page that
> displays a random selection of text to be signed. The user copies
> the text and signs it and pastes it into a textbox. On submit, the
> script runs gpg (or gpgv) to verify the signature on the contents of
> the textbox. Extract the email address for the login ID. Drop your
> info into a session cookie to keep the state as the user surfs your site.
This whole thing must be automated or its going to be inconvenient.
In the auto industry we would do this.=20
server sends a random key encrypted.
client decrypts random key, and uses it to encrypt a secret message that
the server and the client already know from previous communication (like
server decrypts message.
if all is well, we have mutual authentication with both ways encryption.
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org (Encryption and Digital
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----