Go Down

Topic: Password protect for arduino webserver? (Read 37546 times) previous topic - next topic

tubos

I would like that when i connect to my webserver i have
To enter a password before i can see the server.

Are There  any examples on how to do that?

primate

I think the easiest way might be to have your client send in a cookie that contains the username/password info and to have your web server refuse to respond unless the cookie clears verification ("session-based" auth). Principal-based authentication is not defined in the HTTP protocol (as far as I know), and usually such authentication is done through web pages. So short of using HTTP headers and cookies you will most likely have to extend the protocol to support these semantics yourself.

Just my 2 cents' worth of course.

pocketscience

You could do something cheap like using the password text as the page to redirect to... eg collect the password, append ".html" to it and try to redirect to it... eg user enters "fred", which is correct so you have a fred.html and your authentication page redirects to fred.html - otherwise the user will redirect to an unknown page and get a 404... depending on your requirements this might be enough... YMMV..

That's prolly only 1c worth.. ;-)


Cheers,
Is life really that serious...??!

tkbyd

A question to those who know more than I do...

Not "rigorous", but suppose I had a little web server, and wanted only me to be able to make it do it's thing.

Suppose the webserver's URL was "MyWS.com"

It would be easy (well, relatively!) to program it to respond only to, say...

MyWS.com?pw=MyPassword123

What avenues would be available to Bad Guys who wanted to find out how to get the web server to do whatever it is programmed to do when accessed with the extra bit?

pocketscience

"Bad Guys" typically exploit known bugs in particular server software (eg ISS) to get in. Because you're building a custom server it's going to be harder off the bat for them to exploit known bugs because they'll be working blind. You'd need to make sure your code handles buffer overruns (ie really parameters etc) as they are a nice avenue to exploit.

Also a lot of the "Bad Guys" are just script-kiddies following how-to's - and if the results deviate from what they expect they'll move on to an easier target.


Cheers,
Is life really that serious...??!


robtillaart

"Bad guys" might also do a man in the middle attack and intercept the unencrypted password string :(
Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

arian

#7
Aug 18, 2011, 11:55 am Last Edit: Aug 18, 2011, 12:00 pm by arian Reason: 1
It's true. Bad guys can do many things. Arudino is too poor to handle asymmetric crypto, but some sort of response-challenge algorithm could fit :)

robtillaart

Quote
but some sort of response-challenge algorithm could fit
Definitely :)
Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

zoomkat

One of the best ways to generally keep the bad guys away is to not publically post links to your server. If your server handles something sensitive, you probably need to go with a pc server with built in security features. What level of security do you need?
Google forum search: Use Google Advanced Search and use Http://forum.arduino.cc/index in the "site or domain:" box.

Wagner Sartori Junior

It's not difficult to implement "Basic Access Authentication".

From wikipedia:
Client request (no authentication):
Code: [Select]

GET /private/index.html HTTP/1.1
Host: localhost

(followed by a new line, in the form of a carriage return followed by a line feed).

Server response:
Code: [Select]

HTTP/1.1 401 Authorization Required
Server: HTTPd/1.0
Date: Sat, 27 Nov 2004 10:18:15 GMT
WWW-Authenticate: Basic realm="Secure Area"
Content-Type: text/html
Content-Length: 311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<HTML>
 <HEAD>
   <TITLE>Error</TITLE>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
 </HEAD>
 <BODY><H1>401 Unauthorized.</H1></BODY>
</HTML>


Client request (user name "Aladdin", password "open sesame"):
Code: [Select]

GET /private/index.html HTTP/1.1
Host: localhost
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==


You will need the https://github.com/adamvr/arduino-base64 library and to hack http://arduino.cc/en/Tutorial/WebServer to answer HTTP response 401, and wait for authentication data.

Yes, it's not secure(base64 is easily encoded, decoded). A more secure way to do this is using "Digest Access Authentication" and you'll need a MD5 hash library. Need more hacks also but could be done on arduino.

arian

#11
Aug 18, 2011, 10:50 pm Last Edit: Aug 18, 2011, 10:52 pm by arian Reason: 1

Sure, but it will not protect you against man in the middle attack. Simple form will do the same thing :)

tubos

I would like to control some home equipment connected to my
arduino on or off. High security wont be necessary.

I still have no idea how to implement the basic authenticiation in a sketch.

Wagner Sartori Junior

I'll try to implement this next week. I keep you informed!


Go Up