Apache: how to use /etc/passwd

Apache: how to use /etc/passwd

Post by Scott J. Ellentuc » Wed, 19 Jun 1996 04:00:00



Hi,

        I was wondering if there is a module that will allow me to use
/etc/passwd as my password file like I was for CERN.  I tried the built
in one and it doesn't seem to hash properly.

                Thanks, Tuc

 
 
 

Apache: how to use /etc/passwd

Post by Rob Hartil » Thu, 20 Jun 1996 04:00:00



>         I was wondering if there is a module that will allow me to use
> /etc/passwd as my password file like I was for CERN.  I tried the built
> in one and it doesn't seem to hash properly.

There's no official module, but I think a few people have played with
this idea. I think it's called mod_suicide or similar.

--
The rumor is that Jack Kevorkian has setup a Windows-NT users group.

 
 
 

Apache: how to use /etc/passwd

Post by Ascensi » Thu, 20 Jun 1996 04:00:00


(Stuff about using /etc/passwd for authentication deleted)
: There's no official module, but I think a few people have played with
: this idea. I think it's called mod_suicide or similar.

Correct me if I'm wrong, but doesn't this pose no more of a security risk
than offering unencrypted telnet access to a machine?

Rob Johnson

 
 
 

Apache: how to use /etc/passwd

Post by Rob Hartil » Fri, 21 Jun 1996 04:00:00



> (Stuff about using /etc/passwd for authentication deleted)
> : There's no official module, but I think a few people have played with
> : this idea. I think it's called mod_suicide or similar.

> Correct me if I'm wrong, but doesn't this pose no more of a security risk
> than offering unencrypted telnet access to a machine?

It's more of a security risk because local users can easily spoof
a httpd response which fools the client into sending the password
to a script which grabs it. Also, with httpd, the password flies
around with every request and may pass through proxies.

--
The rumor is that Jack Kevorkian has setup a Windows-NT users group.

 
 
 

Apache: how to use /etc/passwd

Post by Howard Fe » Wed, 26 Jun 1996 04:00:00


>> (Stuff about using /etc/passwd for authentication deleted)

>> : There's no official module, but I think a few people have played with
>> : this idea. I think it's called mod_suicide or similar.

>> Correct me if I'm wrong, but doesn't this pose no more of a security risk
>> than offering unencrypted telnet access to a machine?

> It's more of a security risk because local users can easily spoof
> a httpd response which fools the client into sending the password
> to a script which grabs it. Also, with httpd, the password flies
> around with every request and may pass through proxies.

But its still highly useful (even to the point of being required)
for unix based intranets.  At least until kerberos has a much bigger
penetration in standard unix systems.  The more passwords you force
a user to keep, the more likely they will be written down in some
really obvious place - which is a much bigger security hole than
anything http will do.

--


(303)673-5170    http://pageplus.com/~hsf/

 
 
 

Apache: how to use /etc/passwd

Post by Cliff Ad » Sat, 29 Jun 1996 04:00:00



:  
: >         I was wondering if there is a module that will allow me to use
: > /etc/passwd as my password file like I was for CERN.  I tried the built
: > in one and it doesn't seem to hash properly.

: There's no official module, but I think a few people have played with
: this idea. I think it's called mod_suicide or similar.

Huh?  How is this any more un-secure than any normal user?  We don't do this,
but couldn't you grant read-only perms to a group httpd, of which the
daemon is the only member? I may be completely wrong on this :)  but this
seems secure.  At least as secure as UNIX gets ..

Cliff

 
 
 

Apache: how to use /etc/passwd

Post by Jason V. Roberts » Sun, 30 Jun 1996 04:00:00





>:  
>: >         I was wondering if there is a module that will allow me to use
>: > /etc/passwd as my password file like I was for CERN.  I tried the built
>: > in one and it doesn't seem to hash properly.

>: There's no official module, but I think a few people have played with
>: this idea. I think it's called mod_suicide or similar.

>Huh?  How is this any more un-secure than any normal user?  We don't do this,
>but couldn't you grant read-only perms to a group httpd, of which the
>daemon is the only member? I may be completely wrong on this :)  but this
>seems secure.  At least as secure as UNIX gets ..

They say it's worse than telnet or ftp because the password is sent in
(practically) cleartext every time you access a secured page.  I wonder if
the client will also send it if the page isn't secure?  Maybe it
would be safer to check the password once at log-in time, encrypt it with a
local session key that times out in X minutes, and pass it as a cookie to
the client.  That way the password is only sent once in the clear and you
can authenticate the client and only leave a hole of X minutes for someone
to snoop the password (other than initially).

Of course, if you have SSL then this is not an issue - there's no problem with
using the passwd file.

Anyone using Java to do secure Web stuff?
--

 
 
 

1. apache user authentication using /etc/passwd file ?

Hi Folks,

While implementing user authentication for an apache server, I would
like to make use of the unix system's /etc/passwd file for
usernames and passwords. Is it possible to do this with the native
user authentication scheme of apache ?

In other words, I would still have the .htaccess and .htgroups file,
but instead of creating a .htpasswd file, I would like the apache
server to refer to the host system's /etc/password file.

Has anyone done this ? Any help is appreciated.

Regards,
Vinay


2. sonypi driver update

3. Apache using /etc/passwd

4. Motif Programming Manual reprinted and online as HTML

5. Using /etc/passwd for Apache authentication

6. Jaz drive anyone?

7. Convert NIS passwd back to standard /etc/passwd & /etc/shadow

8. 0.99.14 + SB sound cards

9. /etc/passwd & /etc/security/passwd

10. CDE vs. /etc/passwd, /etc/shadow and /etc/group

11. Using /etc/passwd file for Web Authorization

12. Apache Authentication to either /etc/passwd or smbpasswd files

13. How to keep consistancy between /etc/passwd and NIS+ passwd table.