OS user authentication in a node JS app on Linux
Authentication is about making sure your users are who they say they are.
You also need a method for users to access the system that both identify them and restricts their privileges to their required needs. Finally, it is recommended you use a security mechanism such as a password or operating system account so access isn’t open to anyone who tries.
Here are some advantages I see of OS authentication:
Joyent LDAP client (ldap.js) it's a good fit in case you choose LDAP as backend service.
Adding this functionality is really quite ease as:
Less used than LDAP, but equally effective is Kerberos authentication method.
Passport Kerberos client (passport-kerberos) can be added to your application funcionality simple as:
Otherwise, you will need to develop a custom PAM integration, like node-authenticate-pam project.
Like this:
Note: This project is not being maintained anymore, but the materials here will help you to achieve your goal.
You also need a method for users to access the system that both identify them and restricts their privileges to their required needs. Finally, it is recommended you use a security mechanism such as a password or operating system account so access isn’t open to anyone who tries.
What is Operating System Authentication?
Operating system authentication recognizes a user as logged in to the OS and waives the password requirement. Operating system authentication can be especially useful when you have an application that requires a login to run a program. Say a job runs every night to generate reports and deposit them into a directory.Here are some advantages I see of OS authentication:
- Without OS Authentication applications must store passwords in a variety of applications each with their own security model and vulnerabilities.
- Users that only have to remember one domain password can be made to create more secure domain passwords more easily than they can be made to create even less secure application passwords as the number of different applications they must connect to increases.
How can I check OS-level credentials in a node app?
You should use authorization services like LDAP or Kerberos to achieve this goal.Joyent LDAP client (ldap.js) it's a good fit in case you choose LDAP as backend service.
Adding this functionality is really quite ease as:
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldap://127.0.0.1:1389'
});Less used than LDAP, but equally effective is Kerberos authentication method.
Passport Kerberos client (passport-kerberos) can be added to your application funcionality simple as:
var REALM="EXAMPLE.COM"
passport.use(new KerberosStrategy(
function(username, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
return done(null, user, REALM);
});
}
));Wrapping up
These are "de facto" standards nowadays, you may use other services like FreeIPA (node-freeipa) but LDAP would be the suggested path. In my experience, OpenLDAP is really easy to use.Otherwise, you will need to develop a custom PAM integration, like node-authenticate-pam project.
Like this:
var pam = require('authenticate-pam');
pam.authenticate('myusername', 'mysecretpassword', function(err) {
if(err) {
console.log(err);
}
else {
console.log("Authenticated!");
}
});Note: This project is not being maintained anymore, but the materials here will help you to achieve your goal.
About Daniel Vukasovich
No comments