Authentic by IP?

timeverist · November 20, 2006, 1:20am

Is it possible for Matrix to authenticate users by the IP they are browsing from.
eg.

User at this static IP ------> browse to _edit or _admin -------> automatically authenticated to a specific account

Avi_Miller · November 20, 2006, 1:24am

It is not currently possible to do this, no. Its also a massive security hole – spoofing a source IP address is fairly trivial these days.

timeverist · November 20, 2006, 1:27am

Yeah that was my thought too, thanks for clearing that up.

timeverist · November 21, 2006, 12:41am

What about for just read access, I have got the User IP condition to work with a user. But is it possible to restrict the user by IP but have them auto authenticate (without logging in)?

Avi_Miller · November 21, 2006, 12:47am

[quote]What about for just read access, I have got the User IP condition to work with a user. But is it possible to restrict the user by IP but have them auto authenticate (without logging in)?
[right][post=“13147”]<{POST_SNAPBACK}>[/post][/right][/quote]

You can do this with the Public User: Create an IP Restriction for the Public User so that they only belong to a specific group when they come from a particular IP range. Then, assign that group Read permission to the assets in question.

Note that this will not work if MySource Matrix is behind a reverse proxy (like Squid) as it will always just see the Squid IP address.

rhulse · November 21, 2006, 3:39am

[quote]Note that this will not work if MySource Matrix is behind a reverse proxy (like Squid) as it will always just see the Squid IP address.
[right][post=“13148”]<{POST_SNAPBACK}>[/post][/right][/quote]

Is there away around this (some other header in SQUID that could be checked for example)?

Avi_Miller · November 21, 2006, 3:45am

[quote]Is there away around this (some other header in SQUID that could be checked for example)?
[right][post=“13150”]<{POST_SNAPBACK}>[/post][/right][/quote]

Currently, no. Some reverse proxies do provide an “X-Forwarded-For” header that could potentially be used, but that would also most likely be a massive security hole unless handled very, very carefully. Again, HTTP headers are very trivial to spoof.

Source IP addresses are not a particularly secure mechanism to use for automatic authentication due to the trivial nature of spoofing that information.

timeverist · December 10, 2006, 10:50pm

Any ideas what could be causing all static IPs that are using TPG as a provider not to be able to authenticate the IP to the restrictions properly where all other ISPs are able to authenticate properly?

Avi_Miller · December 10, 2006, 10:54pm

[quote]Any ideas what could be causing all static IPs that are using TPG as a provider not to be able to authenticate the IP to the restrictions properly where all other ISPs are able to authenticate properly?
[right][post=“13487”]<{POST_SNAPBACK}>[/post][/right][/quote]

If TPG do transparent proxying (i.e. unknown to the user) then the IP address will change enroute from the user to your server. You should check the Apache access_log to see what IP addresses are visible to your MySource Matrix server.

timeverist · December 10, 2006, 11:27pm

I found out that TPG do use transparent proxy so this is changing their IP address. So the IP authentication will not work properly with accounts on TPG.

Avi_Miller · December 11, 2006, 12:08am

[quote]I found out that TPG do use transparent proxy so this is changing their IP address. So the IP authentication will not work properly with accounts on TPG.
[right][post=“13489”]<{POST_SNAPBACK}>[/post][/right][/quote]

There are several large ISPs that do this, particularly for residential accounts. I know that Bigpond usually do this too.

pat · November 29, 2007, 1:40am

Avi et al - we have talked about this before but I am hoping to find a solution for our Intranet issue. I would like to consider moving our entire intranet into MySource. I am gettign very nervous about the type of content being published on our sites. I suspected the IP restriction would be quite vulnerable (has anything changed on that front?), however, 2-factor authentication integration is something I think the entire MySource Matrix community would benefit from...

Here's how I see it working.

Admin

permissions are applied to page X for User Group Y
[*]When content is restricted to User Group Y - somehow polls RSA server to match passcode
[*]When accessing the site from outside our firewall user would be presented with a login screen that also prompted for an RSA passcode. A user would not necessarily need to enter a passcode but if they did enter a passcode as per RSA authentication then user would be presented with content that is restricted to User Group Y
[*]When accessing from behind firewall user is automatically authenticated - a whole other ballgame I know!!

Thoughts/advice before I investigate further with our account manager?

http://www.rsa.com/node.aspx?id=2800

Avi_Miller · November 29, 2007, 4:08am

Proper RSA integrated authentication would most likely require development. Essentially, it would probably involve extending/changing the login form to require a passcode instead of a password and then authenticating against the RSA server. No advice except that you will need existing RSA infrastructure for this (obviously!).

Having said that, we could possibly integrate with the RSA Apache module because Matrix v3.16.2 supports HTTP-based authentication. You would need to secure this with HTTPS though.

You could also look at Single Sign-On solutions using authenticating proxy servers.

pat · November 29, 2007, 6:36am

OK Thanks Avi. Just talked to Mel and I am going to come up with a detailed spec/wishlist in the new year to get a firm quote on this.

Cheers,

Pat