httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Rodent of Unusual Size)
Subject Re: Apache PR#190: IdentyCheck and server accessibility
Date Wed, 26 Feb 1997 02:00:16 GMT
>From the fingers of Chuck Murcko flowed the following:
>I agree with Ken. IDENT isn't very useful from a security standpoint,
>and we should probably move it to contrib or something, since there will
>always be a few who'd like to use it. Had it been built into everything,
>things might be different.

    Um.. with what, specifically, are you agreeing?  In combination with
    HostNameLookups being enabled, I think this is roughly on a par with
    basic auth, security-wise.  The identd server is running on a
    privileged port, so a perp needs to have superuser authority (not a
    biggie on desktop clients, admittedly).  The web server admin has
    the usual issue of extending trust.  If the RFC1413 identity is
    used, with origin host double-checking on, the trust is basically
    being extended to a) the name service and b) the superuser
    of the client machine.

    This approaches security from the "who you are" rather than the
    "what you know" or "what you have" axes.  (Classic examples of each:
    DNA patterns, passwords, and padlock keys.)  Implementations of each
    have weaknesses, but need to be evaluated according to different
    criteria.  I think it's valuable to have two of the three approaches
    covered, however poorly.

    I think this is particularly useful for intranets, which is
    one reason I think IdentityCheck should grind finer than
    server-wide.  Parity with the "what you know" existing
    authentication mechanism is another.

    As for being built into everything.. it's part of the core, and also
    part of our compatibility with NCSA (though that appears to be of
    limited importance these days).

    So much for philosophy..

>+1, same conditions as Mark (10 < newtime < 60).
>Marc Slemko wrote:
>> I will +1 a 10 second timeout.
>> Anything bigger than that but less than the existing one I will also +1,
>> but only after people tell me that 10 seconds is too short.

    If RFC1413 says the minimum wait by a client should be 30s, I think
    that should be our default.  10s is pushing the RTT a little bit
    much right now, IMO.  "10 seconds is too short, Marc." ;->  ..but
    60s is definitely too long.

    It would be nice for IdentityCheck to be a) timeout-configurable,
    and b) per-directory specifiable, but that's for post-1.2.  I'd like
    to see it moved out of the core and into a module at that time, but
    kept as part of the main distribution.

    As I said, I have a vested interest in this beast, so I'm willing to
    raise my hand to do the appropriate work.

    Now to be shouted down.. <g>

    #ken    :-)}

View raw message