ATTACHMENT: BBS WEB AUTHENTICATION PROPOSAL
The html file contains form with BBS_KEY, BBS_SECRET and
username. - When the user is dropped into dumbed elinks the html file is
I'm having a hard time understanding what this is attempting to solve?
Is the goal to authenticate against a BBS user (user/pass) from a
website?
The html file contains form with BBS_KEY, BBS_SECRET andThis just exposed the key and secret.
username. - When the user is dropped into dumbed elinks the html file
If it's what I *think* you're attempting (Q: above), then you need a non-unique HTML form that *only* collects username/password for a BBS user. The form submits to a *server* side component. The server side can
This allows a crypto-secure token to be generated and sent in to the auth provider (your server that talks to the BBS) and includes a ID (public_key) unique for the creds. Of course in this case you also need the plain-text creds for the BBS, so the final payload could be e.g.: auth={user:$USER,pass:$PASS,key:$KEY,token:$HMAC}
What's running on the web server that requires the identity of the BBS user?
This just exposed the key and secret.
Yep.
Shared secrets aren't meant to be transmitted.
If the server just needs to identify the BBS as known in order to trust the user name, a unique key for each BBS it talks to is sufficient (assuming the server verifies the BBS key is valid). That's a basic form of authentication. There are a few problems
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (3 / 13) |
Uptime: | 50:25:40 |
Calls: | 6,649 |
Calls today: | 1 |
Files: | 12,200 |
Messages: | 5,330,205 |