Suggestions for user security

[Pete Kruckenberg <pe...@dsw.com>]

A quick suggestion/idea. It'd be really nice to be able to have user
security that would allow the following in <Limit GET>: 

  if the incoming address is in the "allow" list, let it in immediately
  if the incoming address is in the "allow-require" list, ask for 
    id/password authentication
  if the incoming address is in the "deny" list, deny any access

The format of the allow-require would have a format of:

  allow-require host <host> [host <host>] user|group <user|group> \
                [user|group <user|group>]

Or, maybe it'd be better to have an "allow-noauth" that just lists hosts 
that should be allowed in without any authentication. Then the already 
existing allow/require would work as-is to require authentication of 
anyone else.

I guess there'd also have to be another option for "order": allow-noauth 
or allow-require.

If there is some way of doing this already, I'd love to know about it. 
I'd also appreciate suggestions on better ways to accomplish this same 
result. I'll write up a patch myself, but want to make it work for the 
most people. These are my specific requirements for the fix:

  - allow un-contested access to any "known" machines (domain name or IP)
  - allow passworded access to any other machines (at a client's site)
  - possibly deny access to all other machines

Security is not an incredibly huge concern. We just want to allow easy 
access to those who need to access these pages quickly and easily, while 
still allowing controlled access to some others, and finally preventing 
access to everyone else.

Ideas?

Pete Kruckenberg
pete@dsw.com
pete@inquo.net