Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.12/8.6.5) id KAA18425;
 Wed, 9 Aug 1995 10:45:36 -0700
Received: from eat.organic.com by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP
 id KAA18416; Wed, 9 Aug 1995 10:45:30 -0700
Received: (from brian@localhost) by eat.organic.com (8.6.12/8.6.12) id
 KAA07261; Wed, 9 Aug 1995 10:46:24 -0700
Date: Wed, 9 Aug 1995 10:46:24 -0700 (PDT)
From: Brian Behlendorf <brian@organic.com>
To: new-httpd@hyperreal.com
cc: archie@tribe.com
Subject: Re: feature request (fwd)
In-Reply-To: <9508091735.AA01109@clipper.ens.fr>
Message-ID: <Pine.SOL.3.91.950809104506.5767I-100000@eat.organic.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On Wed, 9 Aug 1995, Florent Guillaume wrote:
> > Since both Apache/htpasswd and login(1) use the same function to
> > encrypt passwords, you'd think that you could just say:
> > 
> >     AuthUserFile    /etc/passwd
> 
> It is evil to use the system passwords for the WWW, because
> these passwords are sent in clear to whoever asks them.

I'd use the term "unwise", but yeah, I agree that it shouldn't be 
suggested or necessarily enabled in our setup.  MD5 authentication is 
going to require storing something other than the crypted password 
anyways.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/