Quoting Shinobi to Nuskooler <=-
I'm having a hard time understanding what this is attempting to solve?
Is the goal to authenticate against a BBS user (user/pass) from a
website?
Sorry about not being clear. The goal is to authenticate user against
web server. That means. When You logon to BBS. And then select from
menu Doors. Then You should be dropped into text browser. And this
browser has to authenticate against web server. And there shouldn't be
the need to logon once more to the web server.
The html file contains form with BBS_KEY, BBS_SECRET and
username. - When the user is dropped into dumbed elinks the html file
This just exposed the key and secret.
This is to be done on the BBS side. The user won't have access to the form. That means. From user's point of view. You logon to BBS. Select application. That application runs custom elinks. And forward You to
web pages with the username and shared secret.
What's running on the web server that requires the identity of the BBS user?
This just exposed the key and secret.
Yep.
Shared secrets aren't meant to be transmitted.
If the server just needs to identify the BBS as known in order to trust the user name, a unique key for each BBS it talks to is sufficient (assuming the server verifies the BBS key is valid). That's a basic form of authentication. There are a few problems
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 507 |
Nodes: | 16 (3 / 13) |
Uptime: | 168:19:21 |
Calls: | 9,953 |
Calls today: | 1 |
Files: | 13,825 |
Messages: | 6,354,245 |