httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Re: how to pw website and synch with samba and system pw?
Date Wed, 10 Dec 2003 18:57:16 GMT

On Wed, 10 Dec 2003, shane c branch wrote:
> This website contains confidential data and must be passworded. Each
> individual must have his own ID and password, so that audits can be
> conducted against each ID. From what I know of Apache I can protect the
> data by group using .htaccess files. But this solution means that
> everyone in the group will use the same password, which violates
> corporate security guidelines.

No that's not true.  Group protection "require group" is just a short form
for "require user usera userb userc ...".  So they do not all share the
same password, but you do still have the problems discussed below.

> I can use the .htaccess to authorize users individually, but doing so
> (as I read the documentation) means that as the admin I must maintain
> each individual's password, since they will not have the permission to
> change it from a default setup password. I have no desire to maintain
> the passwords for all the users. I want to be able to give them an
> account on the linux box, with a default password which they must change
> at first usage, which will allow users access to both the web data and
> the samba shares.
>
> I found the mod_auth_pam module when I first attempted this a few months
> ago, but given the security risk you pointed out, if there is another
> way to accomplish what I need, I would prefer to explore it.

I think I understand now.  This is a very basic, but difficult to solve
problem.  Sharing a single password is always easier, but can lead to
significant security problems, especially when one service (http) has
significantly weaker security protections than the others.  There is no
real way to avoid this.  Either you suffer the security consequences, or
you suffer the inconvenience of multiple passwords.

If you want to go the multiple passwords route, then you can make your
life slightly easier by using a CGI script to allow your users to change
their own password from the web.

But to be frank, as long as this is a tightly restricted internal network,
and as long as the web data and the stuff on the samba shares have
approximately the same security sensitivity, I'd be tempted to just go
ahead and use mod_auth_pam.  I'd consider putting it under mod_ssl to at
least avoid plain-text passwords.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message