AuthDNS

Summary: Password-less authentication based on the visitor's IP address or (dynamic) hostname
Version: 20110603
Prerequisites: AuthUser
Status: Beta
Maintainer: Petko
Users: +2 -1 (view / edit)
Discussion: AuthDNS-Talk
License: GPL3+

Description

Password-less authentication based on the visitor's IP address or (dynamic) hostname.

The recipe automatically logs in a visitor coming from a specified IP address, from a range of IP addresses or from a specified DNS hostname, without the need to provide a password. It applies a username and/or user groups that will be managed by AuthUser.

The recipe is based on an earlier script by Oliver Betz.

A visitor coming from a predefined IP address will be automatically logged in. All other visitors will be redirected to the login form where they can log in with their usernames.

To be used with Dynamic DNS, the recipe can resolve a list of hostnames. Since this is a slow operation, it should be limited to few entries.

Installation

Copy authdns.phpΔ to your cookbook directory (alt. download: authdns.php). Add to config.php, before including authuser.php, such a line:

  include_once("$FarmD/cookbook/authdns.php");

Configuration

The list of known IP addresses and hostnames is in the page SiteAdmin.AuthDNS. The format is:

  # IP addresses and ranges
  192.168.0.2: id:Username @group1 @group2
  192.168.0.*: @group3 @group4

  # hostnames
  some-lan-host: id:OtherUser @group1
  foobar.dyndns.org: id:Boss @direction

A few things can be configured for the script in config.php.

  • $AuthDNS['page'] = 'SiteAdmin.AuthDNS'; The page with the address list.
  • $AuthDNS['EnableReverseDNS'] = 1; If set to 1 (default), the program will perform a reverse DNS (IP=>hostname) and if the hostname matches one from the list, it will be used. If it doesn't match a known hostname, all hostnames will be resolved to IP addresses (hostname=>IP) until one matches the current IP address.
    Set to 0 to disable the reverse DNS check, if for example your IPs never resolve to the required hostnames.
  • $AuthDNS['CheckAll'] = 1; If set to 1 (default), the program will check all hostnames from the list: for example, a subsequent hostname could add new user groups. If set to 0, it will stop once a match is found. Note that all IP addresses and IP ranges are checked, this variable affects only hostnames.
  • $AuthDNS['CookieDays'] = 30; To speed the checks, the program will store the successful hostname in a permanent cookie on the visitor's browser, and when the user comes again, this hostname will be checked first. This should improve the speed of the processing. You can disable the permanent cookie by setting this variable to 0.

The functions that convert between IP<->hostname are quite slow, each address can take several seconds. For the fastest processing:

  • set $AuthDNS['EnableReverseDNS'] = 0; if your IPs don't usually resolve to the hostnames you enter;
  • set $AuthDNS['CheckAll'] = 0;
  • don't disable the permanent cookie.

Usage

The recipe will be started when the wiki is requested with an action ?action=authdns. You can bookmark such a link, or you can add one in your SideBar or PageActions: [[{*$FullName}?action=authdns|Login]].

You can automatically log in all visitors with the following code in config.php:

  @session_start();
  if(!isset($_SESSION["AuthSessDNS"]))
    if (!preg_match('/^(login|logout|authdns)$/', $action))
      Redirect(ResolvePageName($pagename), '$PageUrl?action=authdns');

Note that this can only be useful in 3 cases: (1) your full wiki is read-protected, (2) the wiki is on a LAN server, and all visitors are editors, or (3) you have a special configuration where PmWiki is the editing backend of a website with a different URL from the public website, and only editors go there.

Notes

When a user or a group has a fixed IP address, it is much faster to use this address in SiteAdmin.AuthDNS instead of a hostname. IP addresses and IP ranges are times faster than DNS hostname checks.

Note about security. The recipe relies on IP addresses and DNS hostnames which are not always fixed and secure. A user may have authenticated with a dynamic DNS provider, but when the valid user is disconnected from the internet, DynDNS will continue to broadcast the last valid IP address. It is possible that a different person gets that last IP address, while the valid user is offline. You should estimate whether this is a security risk.

Other notes:

  • The recipe works with standard IPv4 networks, the new IPv6 networks are not yet supported.
  • The recipe works with standard web servers like Apache or Nginx which provide to AuthDNS the correct IP address of the visitor. Most servers do, but some very particular installations don't (eg. the Standalone recipe or some servers inside virtualization systems or behind proxies).

Change log / Release notes

  • 20110603 - first public release, ready to be tested.

See also

Contributors

  • Petko is the maintainer of this recipe (5ko [snail] 5ko [period] fr). The recipe is based on an earlier script by Oliver Betz.
  • If this recipe helps you or saves you time, you can help support its continued development by .

Comments

See discussion at AuthDNS-Talk

User notes +2 -1: If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.