httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
Date Mon, 06 Jan 1997 23:58:21 GMT
On Mon, 6 Jan 1997, Rob Hartill wrote:

> 
> I remember Dirk was playing with ":"s recently.
> 
> Where do we stand on people shooting themselves in the foot with /etc/passwd ?

I don't see why not.  If /etc/passwd will do anything (ie. isn't
shadowed), they had better be sure users' passwords can't be cracked by a
dictionary based attack so I don't see that using /etc/password will hurt
that much. 

What possible problems are there?  I can think of:
	- bugs in the webserver that let people get the encrypted 
	  passwords; sure, but there are a heck of a lot of easier
	  ways on most systems.
	- passwords passed plaintext across the network; nothing new,
	  on 99% of systems they are anyway.
	- passwords cached in unsafe browsers; possibly a bit of a
	  problem, but if someone has access to the PC they can sniff
	  them pretty easily.


> 
> .. and do we stand on their foot before or after they shoot it ?  :-)
> 
> ---------- Forwarded message ----------
> Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
> From: Gregory Neil Shapiro <gshapiro@wpi.edu>
> To: apache-bugs@apache.org
> Cc: aej@wpi.edu
> Subject: 1.2B4: Stop password field of AuthUserFile at next colon
> 
> Currently, auth_mod.c separates the username and password by the first colon.
> However, it sends the rest of the string (after the colon) to crypt for
> password comparison.  I believe it should use the same code which
> auth_mod_dbm.c uses and stop at the next colon.  That would allow sites to use
> /etc/passwd for the AuthUserFile for system wide functions.  Here is a patch
> to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):
> 
> *** src/mod_auth.c~     Tue Dec 24 14:10:29 1996
> --- src/mod_auth.c      Mon Jan  6 16:42:09 1997
> ***************
> *** 122,131 ****
>         return NULL;
>       }
>       while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
>           if((l[0] == '#') || (!l[0])) continue;
>         rpw = l;
>           w = getword(r->pool, &rpw, ':');
> ! 
>           if(!strcmp(user,w)) {
>             pfclose(r->pool, f);
>               return pstrdup (r->pool, rpw);
> --- 122,134 ----
>         return NULL;
>       }
>       while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> +         char *colon_pw;
>           if((l[0] == '#') || (!l[0])) continue;
>         rpw = l;
>           w = getword(r->pool, &rpw, ':');
> !       /* Password is up to first : if exists */
> !       colon_pw = strchr(rpw,':');
> !       if (colon_pw) *colon_pw='\0';   
>           if(!strcmp(user,w)) {
>             pfclose(r->pool, f);
>               return pstrdup (r->pool, rpw);
> 


Mime
View raw message