I've seen some articles that state using the login password for web
authentication is a bad idea. Something about the password going by in
the clear. How is this different from telnet? Not that telnet is
that secure, but our auditors have decided it's ok. If you type your
password into a browser authentication dialogue box it get's blended in
with your name (whatever you type) and converted to mime-base64 and sent
as clear text. This seems no worse than telnet.
The plan we were working on was to create a 4.4bsd DB file that Apache-SSL
could use. This file would hold around 27000-35000, depending on time of
year, records holding the encrypted login password. The .db file would
be owned by the "www" user, and only accessable by that user. We would
use a slightly modified mod_auth_db module to access it for User and Group
information. Is there some way this file could be leaked if we keep it
out of the "htdocs" directory?
We'll want to be able to authenticate SSL and Non-SSL accesses. With so
many people it's appealing to tell them all they can use their login password
for web access. We'd like to be able to make things like class grades
available through the web. If this is a bad idea, can someone tell me
why it's a bad idea?
University of Delaware Information Technologies/Network and Systems Services
Computing Center/192 South Chapel Street/Newark DE, 19716
pgp finger print: 0D 73 06 6F D3 6A 99 D3 F5 D5 6E FF 3B B9 7C 2C