单个用户的死简单Web身份验证

I wrote a small internal web app using (a subset of) pylons. As it turns out, I now need to allow a user to access it from the web. This is not an application that was written to be web facing, and it has a bunch of gaping security holes.

我使用(一部分)挂架写了一个小的内部网络应用程序。事实证明,我现在需要允许用户从网络访问它。这不是一个面向Web的应用程序,它有一堆巨大的安全漏洞。

What is the simplest way I can make sure this site is securely available to that user, but no one else?

什么是最简单的方法,我可以确保该网站安全地可供该用户使用,但没有其他人?

I'm thinking something like apache's simple HTTP authentication, but more secure. (Is OpenID a good match?)

我在想像apache的简单HTTP身份验证,但更安全。 (OpenID是一个很好的匹配吗?)

There is only one user. No need for any user management, not even to change password. Also, I trust the user not to damage the server (it's actually his).

只有一个用户。无需任何用户管理,甚至无需更改密码。此外,我相信用户不会损坏服务器(实际上是他的)。

If it was for me, I would just keep it behind the firewall and use ssh port forwarding, but I would like to have something simpler for this user.

如果它适合我,我会把它放在防火墙后面并使用ssh端口转发,但我想为这个用户提供更简单的东西。

EDIT: Hmm... judging by the answers, this should have been on serverfault. If a moderator is reading this, consider migrating it.

编辑:嗯...从答案判断,这应该是在服务器故障。如果主持人正在阅读此内容,请考虑迁移它。

3 个解决方案

#1

if there's only a single user, using a certificate would probably be easiest.

如果只有一个用户,使用证书可能是最简单的。

#2

How about VPN? There should be plenty of user-friendly VPN clients. He might already be familiar with the technology since many corporations use them to grant workers access to internal network while on the road.

VPN怎么样?应该有很多用户友好的VPN客户端。他可能已经熟悉该技术,因为许多公司使用它们来授予工作人员在旅途中访问内部网络的权限。

#3

Basic HTTP authentication can be bruteforced easily by tools like brutus. If his ip is static you can allow his ip and deny all others with htaccess.

brutus等工具可以轻松实现基本的HTTP身份验证。如果他的ip是静态的,你可以允许他的ip并用htaccess拒绝所有其他人。

#1