Search
Authentication
As default, the Nagios CGI's relies on <a target="_blank" rel="nofollow" href="http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html" target="_blank">basic authentication</a>. Even though this is usually sufficient from a security perspective, it has some drawbacks. One is that it isn't possible to logout unless you use some third party (Firefox) plugins/addons or simply close all browser instances. Maintaining users in htpasswd files isn't that <a target="_blank" rel="nofollow" href="http://en.wikipedia.org/wiki/POSH" target="_blank">posh</a> either - keeping user authentication data (login, password etc) in a database, on the other hand, is. Switching to LDAP or the like isn't a walk in the park either. Other means of authentication is what we need.<br /><br />Currently we use the <a target="_blank" rel="nofollow" href="http://docs.kohanaphp.com/addons/auth" target="_blank">Kohana Auth Module</a> which is a driver based authentication module using sessions. This will provide a reasonably good authentication with salted hash passwords stored in the database. As it is driver based, we plan to extend it with LDAP support in the future. If we are lucky enough the friendly guys over at Kohana will already have done this for us when we get this far on our journey ;-)<br /><br />The auth Module has support for authorization (roles) but since Nagios has it's <a target="_blank" rel="nofollow" href="http://nagios.sourceforge.net/docs/3_0/cgiauth.html" target="_blank">own way</a> of configuring who will see and do what, we will probably stick with that to make things transparent to users that are already familiar with the Nagios concept.<br /><br />The current authentication implementation is possibe to configure in the <code>config/auth.php</code> file. It is today possible to change the default session lifetime, hash_method (defaults to sha1), salt pattern, driver, minimum username characters and maximum failed login attempts (default is false). Even though the latter directive doesn't lock down an IP or whatever at the moment, it seemed like a good idea to include support for it from start :)<br /><br />As mentioned before, this is work in progress and any input is highly appreciated.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/9144504490896973295-2655825827998522825?l=ninja4nagios.blogspot.com'/></div>