Received: by taz.hyperreal.com (8.8.3/V2.0) id PAA17022;
 Mon, 6 Jan 1997 15:58:53 -0800 (PST)
Received: from scanner.worldgate.com by taz.hyperreal.com (8.8.3/V2.0) with
 ESMTP id PAA17010; Mon, 6 Jan 1997 15:58:48 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com
 (8.7.5/8.7.3) with UUCP id QAA08672 for new-httpd@hyperreal.com;
 Mon, 6 Jan 1997 16:58:45 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3)
 with SMTP id QAA06105 for <new-httpd@hyperreal.com>;
 Mon, 6 Jan 1997 16:58:21 -0700 (MST)
Date: Mon, 6 Jan 1997 16:58:21 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: Apache Group <new-httpd@hyperreal.com>
Subject: Re: 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
In-Reply-To: <Pine.BSF.3.91.970106231140.10630E-100000@localhost>
Message-ID: <Pine.BSF.3.95.970106165212.5684B-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Mon, 6 Jan 1997, Rob Hartill wrote:

> 
> I remember Dirk was playing with ":"s recently.
> 
> Where do we stand on people shooting themselves in the foot with /etc/passwd ?

I don't see why not.  If /etc/passwd will do anything (ie. isn't
shadowed), they had better be sure users' passwords can't be cracked by a
dictionary based attack so I don't see that using /etc/password will hurt
that much. 

What possible problems are there?  I can think of:
	- bugs in the webserver that let people get the encrypted 
	  passwords; sure, but there are a heck of a lot of easier
	  ways on most systems.
	- passwords passed plaintext across the network; nothing new,
	  on 99% of systems they are anyway.
	- passwords cached in unsafe browsers; possibly a bit of a
	  problem, but if someone has access to the PC they can sniff
	  them pretty easily.


> 
> .. and do we stand on their foot before or after they shoot it ?  :-)
> 
> ---------- Forwarded message ----------
> Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
> From: Gregory Neil Shapiro <gshapiro@wpi.edu>
> To: apache-bugs@apache.org
> Cc: aej@wpi.edu
> Subject: 1.2B4: Stop password field of AuthUserFile at next colon
> 
> Currently, auth_mod.c separates the username and password by the first colon.
> However, it sends the rest of the string (after the colon) to crypt for
> password comparison.  I believe it should use the same code which
> auth_mod_dbm.c uses and stop at the next colon.  That would allow sites to use
> /etc/passwd for the AuthUserFile for system wide functions.  Here is a patch
> to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):
> 
> *** src/mod_auth.c~     Tue Dec 24 14:10:29 1996
> --- src/mod_auth.c      Mon Jan  6 16:42:09 1997
> ***************
> *** 122,131 ****
>         return NULL;
>       }
>       while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
>           if((l[0] == '#') || (!l[0])) continue;
>         rpw = l;
>           w = getword(r->pool, &rpw, ':');
> ! 
>           if(!strcmp(user,w)) {
>             pfclose(r->pool, f);
>               return pstrdup (r->pool, rpw);
> --- 122,134 ----
>         return NULL;
>       }
>       while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> +         char *colon_pw;
>           if((l[0] == '#') || (!l[0])) continue;
>         rpw = l;
>           w = getword(r->pool, &rpw, ':');
> !       /* Password is up to first : if exists */
> !       colon_pw = strchr(rpw,':');
> !       if (colon_pw) *colon_pw='\0';   
>           if(!strcmp(user,w)) {
>             pfclose(r->pool, f);
>               return pstrdup (r->pool, rpw);
>