To use system shadow password in Apache

To use system shadow password in Apache

Post by George Fa » Wed, 01 Dec 1999 04:00:00



Hi All,

        Can I use System Shadow Password in Apache?
Anyone could help me?? Thanks! :)

Rgds,
George

 
 
 

To use system shadow password in Apache

Post by isom » Wed, 01 Dec 1999 04:00:00



>Hi All,

>    Can I use System Shadow Password in Apache?
>Anyone could help me?? Thanks! :)

A shadow password file is one which only the superuser can read.  You
would not be well advised to let the webserver read this file.  You could
possibly use PAM to authenticate HTTP requests but this would fill your
logs and be a security risks.  I can't think why you would want to do
that.

--

http://www.jellybaby.net/~isoma/ - Spam?  What spam? (pats procmail)

 
 
 

To use system shadow password in Apache

Post by ?? SPIRIT ? » Thu, 02 Dec 1999 04:00:00


Oh, thx.
And I have heart that there is a modules call mod_auth_sys,
do anyone can tell me more about this modules?


> >Hi All,

> >       Can I use System Shadow Password in Apache?
> >Anyone could help me?? Thanks! :)

> A shadow password file is one which only the superuser can read.  You
> would not be well advised to let the webserver read this file.  You could
> possibly use PAM to authenticate HTTP requests but this would fill your
> logs and be a security risks.  I can't think why you would want to do
> that.

> --

> http://www.jellybaby.net/~isoma/ - Spam?  What spam? (pats procmail)

 
 
 

To use system shadow password in Apache

Post by Thad Humphri » Thu, 02 Dec 1999 04:00:00




> Oh, thx.
> And I have heart that there is a modules call mod_auth_sys,
> do anyone can tell me more about this modules?



> > >Hi All,

> > >       Can I use System Shadow Password in Apache?
> > >Anyone could help me?? Thanks! :)

> > A shadow password file is one which only the superuser can read.  You
> > would not be well advised to let the webserver read this file.  You could
> > possibly use PAM to authenticate HTTP requests but this would fill your
> > logs and be a security risks.  I can't think why you would want to do
> > that.

To avoid having httpd run as superuser, place the shadow file reader in a
separate program with setuid root and have your Apache module call it and
test results with popen().

--------------------------------------------------------------------
Thad Humphries                        "Microsoft... What do you want
Software Engineer (aka, Nerd)          to reinstall today?"
Phone: 540/675-3015, ext. 225                              - Unknown

 
 
 

To use system shadow password in Apache

Post by George Fa » Fri, 03 Dec 1999 04:00:00



> To avoid having httpd run as superuser, place the shadow file reader in a
> separate program with setuid root and have your Apache module call it and
> test results with popen().

I see..
Where can I found that modules?
 
 
 

To use system shadow password in Apache

Post by Jeff Stua » Mon, 06 Dec 1999 04:00:00




>> To avoid having httpd run as superuser, place the shadow file reader in a
>> separate program with setuid root and have your Apache module call it and
>> test results with popen().

>I see..
>Where can I found that modules?

Unless you want your site compromised, do not do this!  All it takes is for
someone to crack your root password FROM the webserver and you are dead in
the water.  DO NOT DO THIS!!!

--
Jeff Stuart

 
 
 

To use system shadow password in Apache

Post by Peter » Mon, 06 Dec 1999 04:00:00




> > To avoid having httpd run as superuser, place the shadow file reader in a
> > separate program with setuid root and have your Apache module call it and
> > test results with popen().

> I see..
> Where can I found that modules?

If you can't implement this yourself, then you probably have no business even
thinking about it. And I can't imagine a good way to architect this. Best
compromise I can imagine right now would essentially be to duplicate PAM
functionality: the helper would take a username and password and tell you
whether the password was valid or not, so the helper could not be used to
simply spit out the contents of the shadow file. But if the helper doesn't log
its actions, restrict what UID can use it, etc., then you've just built a nice
tool for local users, or anyone who can write a CGI, to test passwords
surreptitiously.

And I really, really hope you don't intend to allow using system passwords on
non-SSL servers. Even then, I'd look at a system that did an initial
verification based on IE-cache-proof FORM POST'ing, issued a replay-proof
session credential, etc.

There are just so many places where this idea could go badly wrong...

-Peter

 
 
 

To use system shadow password in Apache

Post by John Riddoc » Tue, 07 Dec 1999 04:00:00





>>> To avoid having httpd run as superuser, place the shadow file reader in a
>>> separate program with setuid root and have your Apache module call it and
>>> test results with popen().

>>I see..
>>Where can I found that modules?
> Unless you want your site compromised, do not do this!  All it takes is for
> someone to crack your root password FROM the webserver and you are dead in
> the water.  DO NOT DO THIS!!!

Depends on how you set it up; have the process reject any attempts to
authenticate root and the root password is uncrackable.  Also, make sure
that all non-essential ports on the box are closed and only allow access
on other ports through TCP wrappers.

If you do that, you can still be secure.

In any case, there are methods in the system for authenticating users
without having superuser privelages; PAM can authenticate on shadow
passwords, for example.

--

http://www.scms.rgu.ac.uk/staff/jr/
First Law of Socio-Genetics:
     Celibacy is not hereditary.

 
 
 

To use system shadow password in Apache

Post by Ri?ardas ?epa » Tue, 07 Dec 1999 04:00:00


On Sun Dec  5 20:08:43 1999 -0500
           (Pirmadienis, 1999 m. gruod?io  6 d. 03:08:43 EET),



> > > To avoid having httpd run as superuser, place the shadow file reader in a
> > > separate program with setuid root and have your Apache module call it and
> > > test results with popen().

> > I see..
> > Where can I found that modules?

> If you can't implement this yourself, then you probably have no business even
> thinking about it. And I can't imagine a good way to architect this. Best
> compromise I can imagine right now would essentially be to duplicate PAM
> functionality: the helper would take a username and password and tell you
> whether the password was valid or not, so the helper could not be used to
> simply spit out the contents of the shadow file. But if the helper doesn't log
> its actions, restrict what UID can use it, etc., then you've just built a nice
> tool for local users, or anyone who can write a CGI, to test passwords
> surreptitiously.

> And I really, really hope you don't intend to allow using system passwords on
> non-SSL servers. Even then, I'd look at a system that did an initial

To take advantage of that you should disable plain telnet/ftp/pop3 as well...
I doubt that well implemented httpd system authentication (with pauses after bad login)
can pose higher security risk then pop3 or ftp even if you choose to use
basic http authentication.

Quote:> verification based on IE-cache-proof FORM POST'ing, issued a replay-proof
> session credential, etc.

> There are just so many places where this idea could go badly wrong...

> -Peter

--

                                      Ri?ardas ?epas
~~
~

  application_pgp-signature_part
< 1K Download
 
 
 

1. ERROR: KDE shadow password error although no shadow passwords used

Hi Folks,

I get the following error message from Setting up Screensaver:

*********************************************************
Warning: You wont be able to lock the screen

Your system uses shadow passwords.
Please contact your system administrator.
Tell him that you need suid for the kcheckpass program!
*********************************************************

--
Cu Andy


// URL: http://homepages.munich.netsurf.de/Andreas.Reuter \\

2. Lame Apache/Linux question

3. refresh shadow password using shadow.h

4. Separate FTP server

5. Shadow password files vs. non-shadowed passwords

6. Linux and MCA architecture: a possible marriage?

7. determiniting if a system is actually using shadow passwords

8. Daybook and Sticky Note PRGS?

9. Shadow package from sunsite (shadow'd passwords)

10. Question about using Shadow Passwords

11. Restoring a /home partition on new system (with shadow password)

12. Change the users' group under shadow password system?

13. centralize shadow password using NIS