Provide HTTP basic auth additional authentication option
|Priority:||Very Low||Due date:|
|Affected version:||Affected Architecture:|
edit: see cmb's 20101120 explanation. original submitter's follows.
It would be nice if the Web interface could offer http auth
instead of the login form as an option. It would be really great
if one could set the auth realm as well, so someone trying to log
in is not seeing what kind of software is listening on that ip.
I know this is security by obscurity, but never the less i would prefer
my users not knowing what kind of firewall im using.
#1 Updated by Scott Ullrich over 2 years ago
- Status changed from New to Rejected
We just spent considerable time moving from that model to the model we are using in 2.0. Sorry but we are not going back to the old model.
#2 Updated by Scott Ullrich over 2 years ago
PS: firewall off the port to the world and only allow from a management IP.
#3 Updated by Chris Buechler over 2 years ago
- Subject changed from Disable Form Based Authentication to Provide HTTP basic auth additional authentication option
- Status changed from Rejected to New
- Priority changed from Normal to Very Low
- Affected version deleted (
While not legit for reasons of obfuscating what you're running (almost every single commercial vendor does similar and fully identifies itself, that's why you strictly limit management access by IP with any device like this), it is a legit feature request and one I've thought of before. Though not to replace session authentication, it probably would be in addition to it.
Putting in HTTP basic auth at the web server level is beneficial for a couple security reasons. One, it could prevent the exploitation of a security hole in the web interface code. Two, it could prevent a future vulnerability in PHP itself from being exploited.
Restricting access to the web interface by IP is the answer here, as the mentioned scenarios are largely to entirely irrelevant with properly-restricted access.