httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurent Blume <laur...@elanor.org>
Subject RE: [users@httpd] Security of using /etc/passwd
Date Thu, 13 Nov 2003 14:26:40 GMT
Selon pctech@mybellybutton.com:

> Another issue is that unless you specify not to, each
> user in the /etc/passwd file has a shell account to
> log onto the server via telnet/ssh.
> 
> Do you really want your your web users to be able to
> log onto the box?
> 
> --- Boyle Owen <Owen.Boyle@swx.com> wrote:
> > >-----Original Message-----
> > >From: Laurent Blume [mailto:laurent@elanor.org]
> > >
> > >I remember reading, some years ago, that it was
> > possible to 
> > >use /etc/passwd to
> > >authenticate in Apache (as a .htpasswd), but that
> > it was 
> > >strongly discouraged
> > >because of the security issues that might arise.
> > 
> > Since apache uses the same encryption mechanism as
> > /etc/passwd, there is
> > no technical problem in doing this.
> > 
> > However, there are security considerations: the
> > concern is that a hacker
> > will try repeated logins with guessed passwords. The
> > unix shell protects
> > against brute-force dictionary-hacks by delaying
> > response to a failed
> > login and dropping the connection after three failed
> > attempts. It also
> > alerts the user when he does login that there were
> > failed attempts while
> > he was away.
> > 
> > HTTP has none of these safeguards; an HTTP server
> > treats every request
> > anonymously and asynchronously so a hacker can fire
> > off requests for an
> > authenticated resource as fast as the server can
> > handle them. If he
> > knows a username, he can rapidly scan through a
> > dictionary of passwords
> > until he hits on a match. He then has access, not
> > only to the protected
> > realm, but to the user's unix account as well.
> > 
> > It is up to you whether you think it is acceptable
> > to endanger your
> > users' unix accounts in this way.

Yes, both your answers sum up very well what I remember I read (and confirms me
in my own opinion!).
However, I'm fighting the age-old argument "it's going to be easier for users
this way".

So if I could find an "official" statement from apache.org, saying that
basically, if we do that, we're on our own, it'd help me.

I'll take any idea about where to look for that!

Laurent

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message