httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: Patch to allow use of password file as auth DB (from USENET)
Date Mon, 08 May 1995 20:02:08 GMT
On Mon, 8 May 1995, Roy T. Fielding wrote:
> > What his patch does is permit people to say "AuthUserFile +" and then
> > it will allow the use of NIS to find username-password information
> > instead of special password files for httpd.
> 
> Ummmm, just to pick a little nit, this is a really bad idea from
> the point of security.  The Basic AA is bad enough, but to encourage
> users to pass their real system passwords through HTTP en claire is
> quite irresponsible.

I would agree.  Include the patch in /contrib, maybe, but let's not 
encourage that, at least until we've done the dirty work and put in 
message-digest authentication.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/


Mime
View raw message