[TIPS] Variables can be nested!

[sebastian]

Actually, I found out a better way to do the server side authentication:

Use Apache Rewrite rules to set:
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Then I did do the actual verification in CGI, eg, I can do the verification in perl as:

if ($ENV{'HTTP_AUTHORIZATION'}) {
# Do md5 hashing and challenge verification.
}
else
{
# Create $servernonce
print "Status: 401 Unauthorized\n";
print "WWW-Authenticate: Digest realm=\"ipxe\", nonce=\"$servernonce\"\n";
print "Content-Type: text/plain\n\n401";
}

Since only one instance of each client can be booting at the same time, verification can easly be done by storing $servernonce, calculated in a certain way, in the server. Thus only one nonce is valid at a time, for a specific client with IP X.

This means I can add and remove users (based on their access card details) on the server dynamically without having to fumble with .htaccess.


I also combined this with my idea.
So the username and password used to authenticate, is calculated dynamically by using 2 10x10 tables, this takes 40 lines with "set" in the boot script to create 2 tables of 10x10 size.
each row contains a value 0-9 that maps to CARD ID DIGIT, and each column maps to PLACE IN ID (eg first digit has 0, second digit has 1 and so on), and the cell value is between 2 and 254, which is caculated by using "inc" command.

This makes it subsuquently much harder to use wireshark to listen in for the CARD IDs (125khz tags) of the users.

When the system is done, I will also compile in a secret client password inside the iPXE binary that is flashed into BIOS, to make it even harder to authenticate as a Another user without using the card reader.