DNSauth

Summary: Authentication by (dynamic) DNS or IP address
Version: 2010-01-07
Prerequisites:
Status: superseded by AuthDNS
Maintainer: OliverBetz
Discussion: DNSauth-Talk
Categories: Security

Questions answered by this recipe

How can I authenticate against a "dynamic DNS" entry?

Description

This recipe resolves a list of hostnames and checks for match with the remote IP address

Grant access to a person or workgroup with dialup / DSL internet access and some kind of "dynamic DNS" account without manual log in.

Since you can't use reverse DNS with dynamic DNS, PmWiki has to resolve the whole list of hostnames and check whether REMOTE_ADDR matches.

To avoid repeated DNS queries, the resulting access rights are stored in the $_SESSION information.

Since I'm a php / PmWiki novice and I'm not sure whether I used the correct the method to add an authentication, I don't provide a file for download but ask for review of the code:

<?php if (!defined('PmWiki')) exit();

@session_start();
if(!isset($_SESSION['DNSauth'])){
  $_SESSION['DNSauth'] = '';
  $remoteip = preg_quote($_SERVER['REMOTE_ADDR']);      # quote '.' to make search pattern
  $remoteip = preg_replace('/\\d+$/', '($0\\b|\\*)', $remoteip); # same procedure as in blocklist

  $page = ReadPage($DNSauthPage, READPAGE_CURRENT);     # get IP addresses and host names
  if ($page && preg_match_all("/^\\s*([\\*\\.\\w]*):\\s*([\\@\\w]*)/m", $page['text'], $matches, PREG_SET_ORDER)) {
    foreach($matches as $m) {
      if(preg_match("/\\d+\\.\\d+\\.\\d+\\.[\\d+*]/",$m[1])){
        $hostip = $m[1]; # is already IP address
      }
      else {
        $hostip = " " . gethostbyname($m[1]); # is a hostname - resolve it
      }
      if(preg_match("/\\b$remoteip/", $hostip)){
        $_SESSION['DNSauth'] = "$m[2]";
        SessionAuth($pagename, array('authlist' => array($m[2] => '1')));
      }
    }
  }
}

$FmtPV['$DNS'] = "htmlentities(stripmagic(\$_SESSION['DNSauth']))"; # debug information

?>

Include the recipe before calling authuser.php

Before including the code, use something like

 $DNSauthPage = 'SiteAdmin/DNSallow';"

to set the page with the authentication entries.

In this page, use entries for host names or IP addresses and the resulting authentication in the format "address:auth" or "hostname:auth", e.g.:

 "foobar.dyndns.org:someuser"
 "foobaz.dynamip.com:@office1"
 "1.2.3.4:otheruser"

Release Notes

If the recipe has multiple releases, then release notes can be placed here. Note that it's often easier for people to work with "release dates" instead of "version numbers".

  • 2009-05-26 request for review
  • 2010-01-07 removed session_write_close() - not needed

See Also

Published first here in the mailing list.

Contributors

OliverBetz

Comments

See discussion at DNSauth-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.