Tag: authentication

Learning – Fat-Free PHP Framework (Bootstrap & Authentication)

Learning - Fat-Free PHP Framework (Bootstrap & Authentication)

Bootstrap & Authentication

Bootstrap

Front design, https://getbootstrap.com, includes CCS, Components, etc.

Getting start has examples, sign in page can be downloaded as well.

Bootstrap CDN - Content delivery network online

Content to be included

Include css into the head tag of the page

<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">

Include the java script just before the closing of body tag

<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>

Create structure for login page

  • Create app/views/login.htm

  • Create app/models/User.php

  • Create app/controllers/UserController.php

  • Create app/css/signin.css or a static folder for this

  • Copy bootstrap login sample html to login.htm

  • Copy bootstrap login sample css to signin.css

Create page

  • Clean up login.htm

  • Create UserController.php

class UserController extends Controller {
    function render() {
        $template = new Template;

        echo $template->render('login.htm');
    }
}
  • Update routes.ini

Add

GET /login=UserController->render

The login page built as https://localhost:8088/login

Customize login page

Remove Remember me and change variable names, and name attribute for input fields

Authentication

Update routes.ini

Add following line

POST /authenticate=UserController->authenticate

Update form in login.htm

<form class="form-signin" method="POST" action="/authenticate">

Create table

Create table user with id, username, password.

Create password

$ php -a
echo password_hash('f3password', PASSWORD_DEFAULT);
$2y......

Add user and password

Add an user with username=f3user and the password=$2y......

Create model for user

Create User.php by modifying Messages.php

class User extends DB\SQL\Mapper {
    public function __construct(DB\SQL $db) {
        parent::__construct($db, 'user');
    }

    public function getByName() {
        $this->load(array('username=?', $name));
    }

    public function all() {
        $this->load();
        return $this->query;
    }

    ...

*Note: Function all() can be used to assign to a variable, getByName() is return the object itself.

Add authenticate function in UserController class

function authenticate() {
    $username = $this->f3->get('POST.username');
    $password = $this->f3->get('POST.password');

    $user = new User($this->db);
    $user->getByName($username);

    if ($user->dry()) {
        // echo 'User does not exist.';
        $this->f3->reroute('/login')
    }

    if (password_verify($password, $user->password)) {
        // echo 'password OK';
        $this->f3->reroute('/');
    }
    else {
        // echo 'password NOT OK';
        $this->f3->reroute('/login')
    }
}

Note: dry() is db function.

Create session

Look for Fat-Free Session Handler

  • Enable cache

Add following line in config.ini

CACHE=true
  • Update index.php
...
new Session();

$f3->run();
  • Add following line in function authenticate in UseController class
if (password_verify($password, $user->password)) {
    $this->f3->set('SESSION.user', $user->usename)'
    $this->f3->reroute('/');
}

Update function beforeroute in Controller class

function beforeroute() {
    if ($this->f3->get('SESSION.user') === null) {
        $this->f3->reroute('/login');
        exit;
    }
}

Update UserController class

Because this update is in Controller class, so every page will go thru the verification. To ignore this behavior for login.htm, update UserController class. Adding following empty function to overwrite beforeroute()

function beforeroute() {
}

References

Adding Bootstrap and User Authentication to Fatfree PHP MVC Project

More secure but easy ways to access SSH server

More secure but easy ways to access SSH server

Except User name and Password, which is hard to remember if you don't want others guess it easily, there are other easy ways to protect SSH server.

Public Key

Steps

This is most a simple way, just generate a pair of key,

ssh-keygen

If need more secure, generate 4096 bit RSA key

ssh-keygen  -t rsa -b 4096

Then inject public key in .ssh/id_rsa.pub into remote .ssh/authorized_keys

Cons

  • Needs to perform for every user
  • Needs to inject public keys of clients into all target servers
  • No expiration

Signed Certificate

Steps

Refer to Signed SSH Certificates using Hashicorp Vault in Practice

  • Use free software, hashicorp vault to manage signed certificate.

  • Inject trusted CA key retrieved from vault into target SSH server configure,

  • Use authorized token and client private key to generate short life signed certificate

  • Use signed certificate and client private key login to target server

Note: Only need normal token to generate signed certificate

  • Authorized token can be renewed (replaced) after used

Pros

  • Token never reach Internet, and it can be renewed (replaced) any time
  • Signed certificate has short life

Cons

Need to save a token

2FA

Steps

Refer to Enable 2FA for Ubuntu

Pros

  • Only need a 2FA software, and adding digits after key in password
  • Short life of digits

LDAP or Kerberos

Instead of all servers maintain their own password, passwords are centrally managed by authentication server.

Cons

  • Every server needs connection to authentication server
  • Cannot login if lost connection to authentication server
  • All servers are using same password

One time password

Retrieve password from authentication server, then use it to login to remote server.

Remote server will use it to verify against authentication server.

Cons

  • Every server needs connection to password server
  • Cannot login if lost connection to password server