Feature #1020: Provide HTTP basic auth additional authentication option - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - Resolved/Closed
2.9.0 - All Open Bugs
2.9.0 - All Open Features
2.9.0 - All Open Issues
2.9.0 - All Open Regressions
2.9.0 - Feedback
2.9.0 - Needs Attention
2.9.0 - New/Confirmed
2.9.0 - Pull Requests
2.9.0 - Regressions affecting 2.9.0
2.9.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
26.03 Target - All Closed Issues
26.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #1020

closed

Provide HTTP basic auth additional authentication option

Added by Martin Klein about 15 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Very Low

Assignee:

Category:

Web Interface

Target version:

Start date:

11/17/2010

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Description

edit: see cmb's 20101120 explanation. original submitter's follows.

It would be nice if the Web interface could offer http auth
instead of the login form as an option. It would be really great
if one could set the auth realm as well, so someone trying to log
in is not seeing what kind of software is listening on that ip.
I know this is security by obscurity, but never the less i would prefer
my users not knowing what kind of firewall im using.

History
Notes
Property changes

Actions

Copy link

Updated by Scott Ullrich about 15 years ago

Status changed from New to Rejected

We just spent considerable time moving from that model to the model we are using in 2.0. Sorry but we are not going back to the old model.

Actions

Copy link

Updated by Scott Ullrich about 15 years ago

PS: firewall off the port to the world and only allow from a management IP.

Actions

Copy link

Updated by Chris Buechler about 15 years ago

Subject changed from Disable Form Based Authentication to Provide HTTP basic auth additional authentication option
Status changed from Rejected to New
Priority changed from Normal to Very Low
Affected Version deleted (~~2.0~~)

While not legit for reasons of obfuscating what you're running (almost every single commercial vendor does similar and fully identifies itself, that's why you strictly limit management access by IP with any device like this), it is a legit feature request and one I've thought of before. Though not to replace session authentication, it probably would be in addition to it.

Putting in HTTP basic auth at the web server level is beneficial for a couple security reasons. One, it could prevent the exploitation of a security hole in the web interface code. Two, it could prevent a future vulnerability in PHP itself from being exploited.

Restricting access to the web interface by IP is the answer here, as the mentioned scenarios are largely to entirely irrelevant with properly-restricted access.

Actions

Copy link