httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wilfred J G Francis <ucgb...@ucl.ac.uk>
Subject RE: [users@httpd] htaccess and unix passwd file - newbie to this list and apache
Date Fri, 24 Oct 2003 13:50:56 GMT
Thanks for this, will stick to what I have for the moment till I get to
grips with another suggestion, use mod_auth_pam. 

Ta very much
Wilfred

-----Original Message-----
From: Boyle Owen [mailto:Owen.Boyle@swx.com] 
Sent: 22 October 2003 13:43
To: users
Subject: RE: [users@httpd] htaccess and unix passwd file - newbie to
this list and apache


>-----Original Message-----
>From: Wilfred J G Francis [mailto:ucgbwjf@ucl.ac.uk]
>
>Is one able to link htaccess password file to Solaris 8 passwd file? I 
>have installed Apache 2 on a sunbox running Solaris 8

Umm.. in Solaris 8, /etc/passwd doesn't contain the encypted passwords -
they're kept in /etc/shadow which is readable only by root. You'd need a
root cronjob to copy /etc/shadow to somewhere else where apache can read
it (or - heaven forbid - change the permissions on /etc/shadow).

Once you do this, it will certainly work as a AuthUserFile since unix
and htpasswd use the same hashing algorithm for password encryption.

However... It is not very wise to use real live unix passwords in an
apache authenticated realm because someone who hacks into the realm will
learn a username/password pair for the system. The Basic Authentication
scheme is a bit vulnerable to dictionary hacks because:

- there is no limit on the number of tries (unix shell limits you to
three)
- there is no sleep between failed tries (you can hack as fast as the
server responds). Unix forces a few seconds of sleep after a failed
attempt.
- when the real user logs in, there is no alert that there were N
unsuccesful tries while you were away (as there is with unix).

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>
>Any help will be greatly appreciated
>
>Wilfred
>
>*********************************
>Physiology Department
>Ext: 33265
>Tel: 020 7679 3265
>Email: Wilfred.Francis@ucl.ac.uk
>*********************************
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message