httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@hyperreal.com>
Subject Re: feature request [Archie Cobbs <archie@tribe.com>] (fwd)
Date Wed, 09 Aug 1995 20:49:50 GMT


---------- Forwarded message ----------
From: Archie Cobbs <archie@tribe.com>
Subject: Re: feature request (fwd)
To: brian@organic.com (Brian Behlendorf)
Date: Wed, 9 Aug 1995 13:18:17 -0700 (PDT)
Cc: new-httpd@hyperreal.com, archie@tribe.tribe.com


> On Wed, 9 Aug 1995, Florent Guillaume wrote:
> > > Since both Apache/htpasswd and login(1) use the same function to
> > > encrypt passwords, you'd think that you could just say:
> > > 
> > >     AuthUserFile    /etc/passwd
> > 
> > It is evil to use the system passwords for the WWW, because
> > these passwords are sent in clear to whoever asks them.

I agree with that general sentiment, but the encoding of the password across
the net is really an orthogonal issue. For example, suppose SSL was
implemented between client & server... I'd still have the same complaint.

> I'd use the term "unwise", but yeah, I agree that it shouldn't be 
> suggested or necessarily enabled in our setup.  MD5 authentication is 
> going to require storing something other than the crypted password 
> anyways.

That's true (and too bad for me). By the way, any projections as to
when this MD5 password encoding gets implemented?

-Archie



Mime
View raw message