how to use the gnupg for authenticated logins

Carl L. Gilbert lamont_gilbert@rigidsoftware.com
Fri Aug 8 23:10:05 2003 

--=-ONWJVgtsg9jNAbD01p/i
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2003-08-08 at 14:08, Neil Williams wrote:
> On Thursday 07 Aug 2003 11:40 am, Sharad Sahu wrote:
> > Hi,
> > I want to use the gnupg in a client server environment. Client  request=
 to
> > server to create a session for  him.  Server authenticate the client  b=
ased
>=20
> As always in Linux, there are alternative methods. Here are just two:
>=20
> As previously suggested on this list (From: Eugene Smiley, Date: Thu, 24 =
Jul=20
> 2003 19:18:32 -0400):
> <quote>
> I'd think this could be a simple script. Start with a login page that
> displays a random selection of text to be signed. The user copies
> the text and signs it and pastes it into a textbox. On submit, the
> script runs gpg (or gpgv) to verify the signature on the contents of
> the textbox. Extract the email address for the login ID. Drop your
> info into a session cookie to keep the state as the user surfs your site.

This whole thing must be automated or its going to be inconvenient.

In the auto industry we would do this.=20

server sends a random key encrypted.
client decrypts random key, and uses it to encrypt a secret message that
the server and the client already know from previous communication (like
a password).
server decrypts message.

if all is well, we have mutual authentication with both ways encryption.


--=20
Thank you,


CL Gilbert
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes
9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org (Encryption and Digital
Signatures)

--=-ONWJVgtsg9jNAbD01p/i
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/NBHZVbJM14DSCi0RAgkhAKDoOKJSt/WMle0lfGFxYd1Q+W4fHACcDQxA
/kZzq/MAJUkyBxbBob3cVfg=
=a3OK
-----END PGP SIGNATURE-----

--=-ONWJVgtsg9jNAbD01p/i--