Message-Id: <199705151211.GAA27440@pooh.pageplus.com>
To: new-httpd@apache.org
Subject: Fwd> Question regarding mod_auth_sys
Date: Thu, 15 May 1997 06:11:16 -0600
From: Howard Fear <hsf@pooh.pageplus.com>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Can someone give me a more detailed explanation of this?
I was under the impression that passwords aren't passed from
the server to user available tools (cgi, ssi, php, etc.).

------- Forwarded Message From Todd Chapman <htchapma@oakland.edu>

I am interested in using your module to authenticate against /etc/passwd
in an intranet. No external access to the intranet is allowed, but local
users can freely browse the web. Six reasons not to do this  are given
in the Apache FAQ. The first five seem like acceptable risks on my
intranet, but I do not understand the following sixth reason:

It's relatively trivial for someone on your system to put up a page that
will steal the cached password from a client's cache without them
knowing. Can you say "password grabber"?

------- End of Forwarded Message

And, yes, I think the paranoia about user passwords makes a
lot of sense on a public server but is a very limited position
as it applies to a corporate intranet/departmental server.
Having one password for all resources is a very important
MIS concept.  Although this probably won't fully be possible
until the large scale deployment of LDAP and certificates.

BTW, I may be on a panel about Apache for our local Unix User's
Group.  I'll be addressing using Apache for intranets, so if
anyone has any comments, I'll be happy to reflect them.

--
Howard Fear      I'm just a country perl hacker Jim.        hsf@pageplus.com
                    http://www.pageplus.com/~hsf/           hsf@redcape.com