How to let only customers download files with wget/curl?

1337

I want to let customers update certain files on their systems by using wget/curl to our servers (https).
But I can't let those files be available to everybody. It's not for an open source project.

I'm pretty sure I can come up with something that works but if there is a common way to do it, I'd rather do that.
So is there a standardized way of doing this?

Obsolesce

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

stacksofplates

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

1337

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

DustinB3403

@Pete-S using SSL is the first step before you start looking at measures for passing credentials with web traffic

stacksofplates

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

I would say digest isn't any better. With basic auth, yes you send the creds across the wire, but I believe digest still requires MD5 hashing.

This is going to depend a lot on what your server allows (if you're not writing an API from scratch) and the pain for your clients.

A JWT is better (or some other type of bearer token) but it's extra work for your clients if they're using just curl or wget.

stacksofplates

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

Do you mean clear text on the wire or clear text on the cli?

1337

@stacksofplates said in How to let only customers download files with wget/curl?:

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

I would say digest isn't any better. With basic auth, yes you send the creds across the wire, but I believe digest still requires MD5 hashing.

This is going to depend a lot on what your server allows (if you're not writing an API from scratch) and the pain for your clients.

A JWT is better (or some other type of bearer token) but it's extra work for your clients if they're using just curl or wget.

My idea on the client side is that it has to be done with standard tools available on basically every linux distro such as wget, curl etc. Basically a couple of lines that an admin could copy & paste into ssh from instructions.

If you have to enter a password / username somewhere it should only need to be done once.

Besides basic and digest authentication I also had a look at SSL/TLS client certificates. I didn't know about that but it's been around for a long time. Basically the server is authenticated by the server certificate and in the same manner the client can be authenticated by the client certificate.

The webserver would then have to verify that the client has a valid SSL certificate and is allowed to download whatever file it is.

1337

@stacksofplates said in How to let only customers download files with wget/curl?:

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

Do you mean clear text on the wire or clear text on the cli?

CLI. Using https I assume every thing is encrypted on the line.

1337

@DustinB3403 said in How to let only customers download files with wget/curl?:

@Pete-S using SSL is the first step before you start looking at measures for passing credentials with web traffic

Yes, I mentioned https in my post so that was what I had in mind.

scottalanmiller

Not sure if this works for you as this falls under the "not solving your problem but just proposing something else" category, but we deal with this commonly and solve it by just using SSH/SFTP. It's not wget/curl, but it's super simple and standard.

stacksofplates

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Pete-S said in How to let only customers download files with wget/curl?:

@stacksofplates said in How to let only customers download files with wget/curl?:

@Obsolesce said in How to let only customers download files with wget/curl?:

Some sort of authentication is the only way if the app doesn't support built in updating of some kind.

Yeah as @Obsolesce said auth is prob best. Basic auth would be the easiest.

Just curl -u 'user:pass' https://mything.com/files

Wget is --user and --password

Does using digest auth make it better? Perhaps I don't have to put the password in clear text that way.

I would say digest isn't any better. With basic auth, yes you send the creds across the wire, but I believe digest still requires MD5 hashing.

This is going to depend a lot on what your server allows (if you're not writing an API from scratch) and the pain for your clients.

A JWT is better (or some other type of bearer token) but it's extra work for your clients if they're using just curl or wget.

My idea on the client side is that it has to be done with standard tools available on basically every linux distro such as wget, curl etc. Basically a couple of lines that an admin could copy & paste into ssh from instructions.

If you have to enter a password / username somewhere it should only need to be done once.

Besides basic and digest authentication I also had a look at SSL/TLS client certificates. I didn't know about that but it's been around for a long time. Basically the server is authenticated by the server certificate and in the same manner the client can be authenticated by the client certificate.

The webserver would then have to verify that the client has a valid SSL certificate and is allowed to download whatever file it is.

A common thing to do is export your creds as env vars. You can even store them in a script with the export commands in the script and just source that script. Then just use -u $user:$pass and that means you have to only do it once.

1337

@scottalanmiller said in How to let only customers download files with wget/curl?:

Not sure if this works for you as this falls under the "not solving your problem but just proposing something else" category, but we deal with this commonly and solve it by just using SSH/SFTP. It's not wget/curl, but it's super simple and standard.

Yes, that could also work but I'm looking for a https solution so you do partial downloads, have scripts serve the data and what not.

For some reason it also seems like file transfer over an ssh session is always slow at least when were talking lots of data.

scottalanmiller

@Pete-S said in How to let only customers download files with wget/curl?:

For some reason it also seems like file transfer over an ssh session is always slow at least when were talking lots of data.

Even with SFTP or RSYNC? It might not be HTTP fast, but it's usually pretty decent.

Obsolesce

Why not force https, then allow them to wget/curl with basic authentication using something they already know like Custer number and company name (for example). That can always be logged and tracked, alerted on if it's abused.

flaxking

If you did something like host the files in an Azure Storage Account then they could download using an SAS token that's passed in as a request parameter

stacksofplates

@Obsolesce said in How to let only customers download files with wget/curl?:

Why not force https, then allow them to wget/curl with basic authentication using something they already know like Custer number and company name (for example). That can always be logged and tracked, alerted on if it's abused.

This is what I have been doing in my password manager. Each request is logged with the username and the endpoint.

stacksofplates

@Pete-S said in How to let only customers download files with wget/curl?:

have scripts serve the data and what not.

Wait are you talking about CGI scripts?

1337

@Obsolesce said in How to let only customers download files with wget/curl?:

Why not force https, then allow them to wget/curl with basic authentication using something they already know like Custer number and company name (for example). That can always be logged and tracked, alerted on if it's abused.

It would work but I prefer if I could get SSL client certificates up and running. You'd have to install the certificate once but then you're authorized to access "your" files on the web server. The webserver can log and track you and decide what you are allowed to access because of the client certificate.

1337

@stacksofplates said in How to let only customers download files with wget/curl?:

@Pete-S said in How to let only customers download files with wget/curl?:

have scripts serve the data and what not.

Wait are you talking about CGI scripts?

Yes, that's a possibility when you are using a webserver, instead of ssh.

If you access a file over ssh, AFAIK the file is a static file and it is what it is.

If you however access a file over https, you can have a script on the webserver delivering you the file and you can send parameters to it. For instance :

wget -o install.sh "https://xyz.com/my_special_install_script.py?os=CentOS7&special=2&customer=2432"

You just have a gazilion options when you connect over a webserver.