httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: mod_auth-any/791: parsing of password file (username:password:extrafields) (fwd)
Date Thu, 26 Jun 1997 15:39:53 GMT
> And we keep getting the same patch over and over....
> 
> +1
> 
+1 With the following warning in the docs. I also added
an example, mentioned support/htpasswd and the facts
that crypts() are not portable.

Dw.

----- Begin Included Message -----

>From dirkx Thu Jun 26 17:38 MET 1997
Date: Thu, 26 Jun 1997 17:38:05 +0200
From: Dirk.vanGulik <Dirk.vanGulik>
Content-Type: text

cvs diff mod_auth.html
*** mod_auth.html	Thu Jun 26 17:37:20 1997
***************
*** 1,162 ****
! <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
  <HTML>
  <HEAD>
!    <TITLE>Apache module mod_auth</TITLE>
!    <META NAME="GENERATOR" CONTENT="Mozilla/3.0Gold (X11; I; SunOS 5.4 sun4m) [Netscape]">
  </HEAD>
- <BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000FF" VLINK="#000080" ALINK="#FF0000">
  
! <P><!-- Background white, links blue (unvisited), navy (visited), red (active)
--><!--#include virtual="header.html" --></P>
! 
! <H1 ALIGN=CENTER>Module mod_auth</H1>
! 
! <P>This module is contained in the <TT>mod_auth.c</TT> file, and is compiled
! in by default. It provides for user authentication using textual files.
! </P>
! 
! <MENU>
! <LI><A HREF="#authgroupfile">AuthGroupFile</A> </LI>
! 
! <LI><A HREF="#authuserfile">AuthUserFile</A> </LI>
! 
! <LI><A HREF="#authauthoritative">AuthAuthoritative</A> </LI>
! </MENU>
! 
! <P>
! <HR><A NAME="authgroupfile"></A></P>
! 
! <H2>AuthGroupFile</H2>
! 
! <P><!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; --><B>Syntax:</B>
! AuthGroupFile <I>filename<BR>
! </I><B>Context:</B> directory, .htaccess<BR>
! <B>Override:</B> AuthConfig<BR>
! <B>Status:</B> Base<BR>
! <B>Module:</B> mod_auth</P>
! 
! <P> The AuthGroupFile directive sets the name of a textual file containing
! the list of user groups for user authentication. <I>Filename</I> is the
! absolute path to the group file.</P>
! 
! <P> Each line of the group file contains a groupname followed by a colon,
! followed by the member usernames separated by spaces. Example: </P>
! 
! <BLOCKQUOTE>
! <P><TT>mygroup: bob joe anne</TT></P>
! </BLOCKQUOTE>
! 
! <P>Note that searching large groups files is <I>very</I> inefficient;
<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A>
! should be used instead.</P>
! 
! <P> Security: make sure that the AuthGroupFile is stored outside the document
! tree of the web-server; do <I>not</I> put it in the directory that it protects.
! Otherwise, clients will be able to download the AuthGroupFile.</P>
! 
! <P> See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A>
! and <A HREF="#authuserfile">AuthUserFile</A>.</P>
! 
! <P>
! <HR><A NAME="authuserfile"></A></P>
! 
! <H2>AuthUserFile</H2>
! 
! <P><!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; --><B>Syntax:</B>
! AuthUserFile <I>filename<BR>
! </I><B>Context:</B> directory, .htaccess<BR>
! <B>Override:</B> AuthConfig<BR>
! <B>Status:</B> Base<BR>
! <B>Module:</B> mod_auth</P>
! 
! <P> The AuthUserFile directive sets the name of a textual file containing
! the list of users and passwords for user authentication. <I>Filename</I>
! is the absolute path to the user file.</P>
! 
! <P> Each line of the user file file contains a username followed by a colon,
! followed by the crypt() encrypted password.This is optionally follwed by
! zero or more fields, also colon separated. The behavior of multiple occurrences
! of the same user is undefined.</P>
! 
! <P>Example:</P>
! 
! <UL>
! <P><TT>dirkx:sadg65123<BR>
! ardy:432bv24bn23: Some Comments 'bout ardy</TT></P>
! </UL>
! 
! <P>Now the above looks an awfull lot like the passwd(8) file on a unix
! box. And you might even be tempted to use that password file (<TT>AuthUserFile
! /etc/passwd</TT>). <B>Just DON't. </B>The reasons are left as an exercise
! to the readers; but really this is not a good idea; and your system administrator
! might just bite your head off when she or he finds out.. Also HTTP&nbsp;username
! and password files travel unencrypted over the wire. The same goes of course
! for the mod_auth_nis and mod_auth_nis+ modules. </P>
! 
! <P>In the support directory of your installation small utility '<TT>htpasswd</TT>'
! can be found to create and edit password entries and the encrypted password.
! As apache uses the systems own crypt() some interoperability problems might
! arise when for example mixing the international version of FreeBSD, which
! has an md5 based crypt and, say, the DES based crypt of Solaris. Bear this
! in mind when transfering services from one platform to another.</P>
! 
! <P> Note that searching user groups files is inefficient; <A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A>
! should be used instead.</P>
! 
! <P> Security: make sure that the AuthUserFile is stored outside the document
! tree of the web-server; do <I>not</I> put it in the directory that it protects.
! Otherwise, clients will be able to download the AuthUserFile.</P>
! 
! <P> See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A>
! and <A HREF="#authgroupfile">AuthGroupFile</A>.</P>
! 
! <P> 
! <HR><A NAME="authauthoritative"></A></P>
! 
! <H2>AuthAuthoritative</H2>
! 
! <P><!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; --><B>Syntax:</B>
! AuthAuthoritative &lt; <B>on</B>(default) | off &gt; <BR>
! <B>Context:</B> directory, .htaccess<BR>
! <B>Override:</B> AuthConfig<BR>
! <B>Status:</B> Base<BR>
! <B>Module:</B> mod_auth</P>
! 
! <P> Setting the AuthAuthoritative directive explicitly to <B>'off'</B>
! allows for both authentication and authorization to be passed on to lower
! level modules (as defined in the <TT>Configuration</TT> and <TT>modules.c</TT>
! files) if there is <B>no userID</B> or <B>rule</B> matching the
supplied
! userID. If there is a userID and/or rule specified; the usual password
! and access checks will be applied and a failure will give an Authorization
! Required reply. </P>
! 
! <P>So if a userID appears in the database of more than one module; or if
! a valid require directive applies to more than one module; then the first
! module will verify the credentials; and no access is passed on; regardless
! of the AuthAuthoritative setting. </P>
! 
! <P>A common use for this is in conjunction with one of the database modules;
! such as <TT><A HREF="mod_auth_db.html">mod_auth_db.c</A></TT>, <TT><A
HREF="mod_auth_dbm.html">mod_auth_dbm.c</A></TT>,
! <TT><A HREF="mod_auth_msql.html">mod_auth_msql.c</A></TT> and <TT><A
HREF="mod_auth_anon.html">mod_auth_anon.c</A></TT>.
! These modules supply the bulk of the user credential checking; but a few
! (administrator) related accesses fall through to a lower level with a well
! protected AuthUserFile. </P>
! 
! <P><B>Default:</B> By default; control is not passed on; and an unknown
! userID or rule will result in an Authorization Required reply. Not setting
! it thus keeps the system secure; and forces an NSCA compliant behaviour.
! </P>
! 
! <P>Security: Do consider the implications of allowing a user to allow fall-through
! in his .htaccess file; and verify that this is really what you want; Generally
! it is easier to just secure a single .htpasswd file, than it is to secure
! a database such as mSQL. Make sure that the AuthUserFile is stored outside
! the document tree of the web-server; do <I>not</I> put it in the directory
! that it protects. Otherwise, clients will be able to download the AuthUserFile.
! </P>
! 
! <P>See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A>
! and <A HREF="#authgroupfile">AuthGroupFile</A>.</P>
! 
! <P> <!--#include virtual="footer.html" --></P>
  
  </BODY>
  </HTML>
--- 1,145 ----
! <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
  <HTML>
  <HEAD>
! <TITLE>Apache module mod_auth</TITLE>
  </HEAD>
  
! <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
! <BODY
!  BGCOLOR="#FFFFFF"
!  TEXT="#000000"
!  LINK="#0000FF"
!  VLINK="#000080"
!  ALINK="#FF0000"
! >
! <!--#include virtual="header.html" -->
! 
! <H1 ALIGN="CENTER">Module mod_auth</h1>
! 
! This module is contained in the <code>mod_auth.c</code> file, and
! is compiled in by default. It provides for user authentication using
! textual files.
! 
! 
! <menu>
! <li><A HREF="#authgroupfile">AuthGroupFile</A>
! <li><A HREF="#authuserfile">AuthUserFile</A>
! <li><A HREF="#authauthoritative">AuthAuthoritative</A>
! </menu>
! <hr>
! 
! 
! <A name="authgroupfile"><h2>AuthGroupFile</h2></A>
! <!--%plaintext &lt;?INDEX {\tt AuthGroupFile} directive&gt; -->
! <strong>Syntax:</strong> AuthGroupFile <em>filename</em><br>
! <Strong>Context:</strong> directory, .htaccess<br>
! <Strong>Override:</strong> AuthConfig<br>
! <strong>Status:</strong> Base<br>
! <strong>Module:</strong> mod_auth<p>
! 
! The AuthGroupFile directive sets the name of a textual file containing the list
! of user groups for user authentication. <em>Filename</em> is the absolute path
! to the group file.<p>
! Each line of the group file contains a groupname followed by a colon, followed
! by the member usernames separated by spaces. Example:
! <blockquote><code>mygroup: bob joe anne</code></blockquote>
! Note that searching large groups files is <em>very</em> inefficient;
! <A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should
! be used instead.<p>
! 
! Security: make sure that the AuthGroupFile is stored outside the
! document tree of the web-server; do <em>not</em> put it in the directory that
! it protects. Otherwise, clients will be able to download the AuthGroupFile.<p>
! 
! See also <A HREF="core.html#authname">AuthName</A>,
! <A HREF="core.html#authtype">AuthType</A> and
! <A HREF="#authuserfile">AuthUserFile</A>.<p><hr>
! 
! <A name="authuserfile"><h2>AuthUserFile</h2></A>
! <!--%plaintext &lt;?INDEX {\tt AuthUserFile} directive&gt; -->
! <strong>Syntax:</strong> AuthUserFile <em>filename</em><br>
! <Strong>Context:</strong> directory, .htaccess<br>
! <Strong>Override:</strong> AuthConfig<br>
! <strong>Status:</strong> Base<br>
! <strong>Module:</strong> mod_auth<p>
! 
! The AuthUserFile directive sets the name of a textual file containing
! the list of users and passwords for user
! authentication. <em>Filename</em> is the absolute path to the user
! file.<p> Each line of the user file file contains a username followed
! by a colon, followed by the crypt() encrypted password. The behavior
! of multiple occurrences of the same user is undefined.<p> Note that
! searching user groups files is inefficient; <A
! HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be
! used instead.<p>
! 
! Security: make sure that the AuthUserFile is stored outside the
! document tree of the web-server; do <em>not</em> put it in the directory that
! it protects. Otherwise, clients will be able to download the AuthUserFile.<p>
! 
! See also <A HREF="core.html#authname">AuthName</A>,
! <A HREF="core.html#authtype">AuthType</A> and
! <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
! <hr>
! <A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
! <!--%plaintext &lt;?INDEX {\tt AuthAuthoritative} directive&gt; -->
! <strong>Syntax:</strong> AuthAuthoritative &lt; <strong> on</strong>(default)
| off &gt; <br>
! <Strong>Context:</strong> directory, .htaccess<br>
! <Strong>Override:</strong> AuthConfig<br>
! <strong>Status:</strong> Base<br>
! <strong>Module:</strong> mod_auth<p>
! 
! Setting the AuthAuthoritative directive explicitly to <b>'off'</b>
! allows for both authentication and authorization to be passed on to
! lower level modules (as defined in the <code>Configuration</code> and
! <code>modules.c</code> files) if there is <b>no userID</b> or
! <b>rule</b> matching the supplied userID. If there is a userID and/or
! rule specified; the usual password and access checks will be applied
! and a failure will give an Authorization Required reply.
! 
! <p>
! 
! So if a userID appears in the database of more than one module; or if
! a valid require directive applies to more than one module; then the
! first module will verify the credentials; and no access is passed on;
! regardless of the AuthAuthoritative setting.
! 
! <p>
! 
! A common use for this is in conjunction with one of the database
! modules; such as <a
! href="mod_auth_db.html"><code>mod_auth_db.c</code></a>, <a
! href="mod_auth_dbm.html"><code>mod_auth_dbm.c</code></a>, <a
! href="mod_auth_msql.html"><code>mod_auth_msql.c</code></a> and <a
! href="mod_auth_anon.html"><code>mod_auth_anon.c</code></a>. These modules
! supply the bulk of the user credential checking; but a few
! (administrator) related accesses fall through to a lower level with a
! well protected AuthUserFile.
! 
! <p>
! 
! <b>Default:</b> By default; control is not passed on; and an unknown
! userID or rule will result in an Authorization Required reply. Not
! setting it thus keeps the system secure; and forces an NSCA compliant
! behaviour.
! 
! <p>
! 
! Security: Do consider the implications of allowing a user to allow
! fall-through in his .htaccess file; and verify that this is really
! what you want; Generally it is easier to just secure a single
! .htpasswd file, than it is to secure a database such as mSQL. Make
! sure that the AuthUserFile is stored outside the document tree of the
! web-server; do <em>not</em> put it in the directory that it
! protects. Otherwise, clients will be able to download the
! AuthUserFile.
! 
! <p>
! See also <A HREF="core.html#authname">AuthName</A>,
! <A HREF="core.html#authtype">AuthType</A> and
! <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
  
+ <!--#include virtual="footer.html" -->
  </BODY>
  </HTML>
+ 



----- End Included Message -----



Mime
View raw message