httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <pct...@mybellybutton.com>
Subject RE: [users@httpd] Security of using /etc/passwd
Date Thu, 13 Nov 2003 13:00:41 GMT
Another issue is that unless you specify not to, each
user in the /etc/passwd file has a shell account to
log onto the server via telnet/ssh.

Do you really want your your web users to be able to
log onto the box?

--- Boyle Owen <Owen.Boyle@swx.com> wrote:
> >-----Original Message-----
> >From: Laurent Blume [mailto:laurent@elanor.org]
> >
> >I remember reading, some years ago, that it was
> possible to 
> >use /etc/passwd to
> >authenticate in Apache (as a .htpasswd), but that
> it was 
> >strongly discouraged
> >because of the security issues that might arise.
> 
> Since apache uses the same encryption mechanism as
> /etc/passwd, there is
> no technical problem in doing this.
> 
> However, there are security considerations: the
> concern is that a hacker
> will try repeated logins with guessed passwords. The
> unix shell protects
> against brute-force dictionary-hacks by delaying
> response to a failed
> login and dropping the connection after three failed
> attempts. It also
> alerts the user when he does login that there were
> failed attempts while
> he was away.
> 
> HTTP has none of these safeguards; an HTTP server
> treats every request
> anonymously and asynchronously so a hacker can fire
> off requests for an
> authenticated resource as fast as the server can
> handle them. If he
> knows a username, he can rapidly scan through a
> dictionary of passwords
> until he hits on a match. He then has access, not
> only to the protected
> realm, but to the user's unix account as well.
> 
> It is up to you whether you think it is acceptable
> to endanger your
> users' unix accounts in this way.
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message
> may be ignored. 
> 
> 
> 
> 
> >
> >However, I can't find that information anymore in
> Apache documentation,
> >particularly the security tips...
> >
> >Is it now impossible to do it at all, or not
> considered bad 
> >anymore, or did I
> >simply miss the information?
> >
> >My goal is to convince somebody that replicating
> the Unix 
> >users in Apache's
> >config is not the Right Way To Do It.
> >If I'm wrong on that, you're welcome to tell me
> why, maybe I'm 
> >outdated on this :-)
> >
> >TIA,
> >
> >Laurent
> >
>
>---------------------------------------------------------------------
> >The official User-To-User support forum of the
> Apache HTTP 
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> >To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> >   "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail:
> users-help@httpd.apache.org
> >
> >
> Diese E-mail ist eine private und persnliche
> Kommunikation. Sie hat
> keinen Bezug zur B rsen- bzw. Geschftst tigkeit der
> SWX Swiss Exchange.
> This e-mail is of a private and personal nature. It
> is not related to
> the exchange or business activities of the SWX Swiss
> Exchange. Le prsent
> e-mail est un message priv  et personnel, sans
> rapport avec l'activit
> boursi re de la SWX Swiss Exchange.
> 
> This message is for the named person's use only. It
> may contain
> confidential, proprietary or legally privileged
> information. No
> confidentiality or privilege is waived or lost by
> any mistransmission.
> If you receive this message in error, please notify
> the sender urgently
> and then immediately delete the message and any
> copies of it from your
> system. Please also immediately destroy any
> hardcopies of the message.
> You must not, directly or indirectly, use, disclose,
> distribute, print,
> or copy any part of this message if you are not the
> intended recipient.
> The sender’s company reserves the right to monitor
> all e-mail
> communications through their networks. Any views
> expressed in this
> message are those of the individual sender, except
> where the message
> states otherwise and the sender is authorised to
> state them to be the
> views of the sender’s company. 
> 
> 
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


=====


--------------------------------------------------------------
"Never memorize what you can look up."  -Albert Einstein

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message