Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 99384 invoked from network); 13 Nov 2003 13:01:26 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 13 Nov 2003 13:01:26 -0000 Received: (qmail 83123 invoked by uid 500); 13 Nov 2003 13:00:41 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 83092 invoked by uid 500); 13 Nov 2003 13:00:40 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 83055 invoked from network); 13 Nov 2003 13:00:40 -0000 Received: from unknown (HELO web13409.mail.yahoo.com) (216.136.172.17) by daedalus.apache.org with SMTP; 13 Nov 2003 13:00:40 -0000 Message-ID: <20031113130041.72117.qmail@web13409.mail.yahoo.com> Received: from [208.49.53.112] by web13409.mail.yahoo.com via HTTP; Thu, 13 Nov 2003 05:00:41 PST Date: Thu, 13 Nov 2003 05:00:41 -0800 (PST) From: To: users@httpd.apache.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: RE: [users@httpd] Security of using /etc/passwd X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Another issue is that unless you specify not to, each user in the /etc/passwd file has a shell account to log onto the server via telnet/ssh. Do you really want your your web users to be able to log onto the box? --- Boyle Owen wrote: > >-----Original Message----- > >From: Laurent Blume [mailto:laurent@elanor.org] > > > >I remember reading, some years ago, that it was > possible to > >use /etc/passwd to > >authenticate in Apache (as a .htpasswd), but that > it was > >strongly discouraged > >because of the security issues that might arise. > > Since apache uses the same encryption mechanism as > /etc/passwd, there is > no technical problem in doing this. > > However, there are security considerations: the > concern is that a hacker > will try repeated logins with guessed passwords. The > unix shell protects > against brute-force dictionary-hacks by delaying > response to a failed > login and dropping the connection after three failed > attempts. It also > alerts the user when he does login that there were > failed attempts while > he was away. > > HTTP has none of these safeguards; an HTTP server > treats every request > anonymously and asynchronously so a hacker can fire > off requests for an > authenticated resource as fast as the server can > handle them. If he > knows a username, he can rapidly scan through a > dictionary of passwords > until he hits on a match. He then has access, not > only to the protected > realm, but to the user's unix account as well. > > It is up to you whether you think it is acceptable > to endanger your > users' unix accounts in this way. > > Rgds, > Owen Boyle > Disclaimer: Any disclaimer attached to this message > may be ignored. > > > > > > > >However, I can't find that information anymore in > Apache documentation, > >particularly the security tips... > > > >Is it now impossible to do it at all, or not > considered bad > >anymore, or did I > >simply miss the information? > > > >My goal is to convince somebody that replicating > the Unix > >users in Apache's > >config is not the Right Way To Do It. > >If I'm wrong on that, you're welcome to tell me > why, maybe I'm > >outdated on this :-) > > > >TIA, > > > >Laurent > > > >--------------------------------------------------------------------- > >The official User-To-User support forum of the > Apache HTTP > >Server Project. > >See > for more info. > >To unsubscribe, e-mail: > users-unsubscribe@httpd.apache.org > > " from the digest: > users-digest-unsubscribe@httpd.apache.org > >For additional commands, e-mail: > users-help@httpd.apache.org > > > > > Diese E-mail ist eine private und persnliche > Kommunikation. Sie hat > keinen Bezug zur B rsen- bzw. Geschftst tigkeit der > SWX Swiss Exchange. > This e-mail is of a private and personal nature. It > is not related to > the exchange or business activities of the SWX Swiss > Exchange. Le prsent > e-mail est un message priv et personnel, sans > rapport avec l'activit > boursi re de la SWX Swiss Exchange. > > This message is for the named person's use only. It > may contain > confidential, proprietary or legally privileged > information. No > confidentiality or privilege is waived or lost by > any mistransmission. > If you receive this message in error, please notify > the sender urgently > and then immediately delete the message and any > copies of it from your > system. Please also immediately destroy any > hardcopies of the message. > You must not, directly or indirectly, use, disclose, > distribute, print, > or copy any part of this message if you are not the > intended recipient. > The sender’s company reserves the right to monitor > all e-mail > communications through their networks. Any views > expressed in this > message are those of the individual sender, except > where the message > states otherwise and the sender is authorised to > state them to be the > views of the sender’s company. > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See for > more info. > To unsubscribe, e-mail: > users-unsubscribe@httpd.apache.org > " from the digest: > users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: > users-help@httpd.apache.org > ===== -------------------------------------------------------------- "Never memorize what you can look up." -Albert Einstein --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org