httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Constable <ma...@renta.net>
Subject Re: Patch for mod_authn_dbd plaintext auth
Date Sun, 10 Jun 2007 07:03:53 GMT
On Saturday 09 June 2007 14:09:22 Frank Jones wrote:
> > A crypted
> > (or better) password hash in a plain text .htaccess is a good
> > idea but a database is already a binary blob so both would
> > prevent trivial accidental viewing of passwords.
> 
> This isn't directly relevant to your question, but I think it's
> important to point out that while sqlite databases are binary, they
> aren't really blobs. Try running "strings" on a sqlite database and
> you'll see what I mean.

Yes and hacking the crypted passwords in a .htaccess
file, these days, is only a step or two more complicated.
Both are only good enough to "prevent trivial accidental
viewing".

I was pleased to note that Brian F, over a year ago, has
also created a patch (and no one hacks on a module to
create a patch unless they *really* want the additonal
functionality) so that demonstrates there is indeed a
need for plaintext passwords.

The point here is should the apache devs deny this
functionality to apache users, because some of them think
it's not appropriate (policy not technical), when there
are obviously patch(es) available ?

On Saturday 09 June 2007 12:51:03 Brian J. France wrote:
> I agree with Nick that is should be moved up a level, but I think to  
> do that it would require a re-work of all authn modules.

Would it be a reasonable compromise to accept this patch
in it's current state and then look into making the
appropriate modifications to higher authn layers at a
later stage ?

This approach has the benefit of getting feedback from
folks actually using plaintext passwords, in SQL backends
at least, and could provide more eyeballs on the issue
of migrating this change up the authn layer. Or, it
could prove this is a lame duck patch that no one wants
and just causes problems. I don't think the later but
incremental forward movement is not a bad approach.

--markc

Mime
View raw message