[users@httpd] Re: how to pw website and synch with samba and system pw?

[shane c branch <sc...@barton.edu>]

 >I don't know about anyone else, but I can't parse these paragraphs.
 >What's with the weird <input thing?
 >
 >In any case, you might want to read
 >http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
 >before you go any further.


Apologies to those on list for the garbled email. the web mail service 
claimed to be operating in plain text mode, which it clearly was not. I 
don't know what caused the garbled text. I changed the subscription 
address to prevent this in the future.

Joshua, thanks for the link. I do not recall seeing that 'warning' when 
researching this problem the first time.

This website will be for use on the corporate intranet only, I do not 
want that kind of security risk. What other solutions are available?

-- 

regards,

shane

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[shane c branch <sc...@barton.edu>]

Joshua Slive wrote:

> On Wed, 10 Dec 2003, Joshua Slive wrote:
> 
>>security wholes.
> 
> 
> Did I every mention I'm a great speler?
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
heh. actually, i think that's what mucked up my first post on this 
subject. the spell checker from that webmail account.

-- 

regards,

shane

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[Joshua Slive <jo...@slive.ca>]

On Wed, 10 Dec 2003, Joshua Slive wrote:
> security wholes.

Did I every mention I'm a great speler?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[joe angth <jo...@yahoo.com>]

Depending on what system you are using, there are a couple of ways. I know of a great program for OpenBSD, mod_auth_bsd, http://www.25thandclement.com/~william/projects/bsdauth.html. There are simialar ways to do things on a linux box.
 
-Joe

Joshua Slive <jo...@slive.ca> wrote:

On Wed, 10 Dec 2003, shane c branch wrote:
> Can you suggest resource for reseachign CGI scripts? I know next to
> nothing about implementing them.

Well, a sample script that can be used for this purpose is at
http://home.xnet.com/~efflandt/pub/htpasswd.pl
It is written by a generally trustworthy person, but you should be very
cautious about using cgi scripts that you find on the web, since many of
them have security wholes.

General information about CGI and apache can be found here:
http://httpd.apache.org/docs-2.0/howto/cgi.html

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[Joshua Slive <jo...@slive.ca>]

On Wed, 10 Dec 2003, shane c branch wrote:
> Can you suggest resource for reseachign CGI scripts? I know next to
> nothing about implementing them.

Well, a sample script that can be used for this purpose is at
http://home.xnet.com/~efflandt/pub/htpasswd.pl
It is written by a generally trustworthy person, but you should be very
cautious about using cgi scripts that you find on the web, since many of
them have security wholes.

General information about CGI and apache can be found here:
http://httpd.apache.org/docs-2.0/howto/cgi.html

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[shane c branch <sc...@barton.edu>]

Joshua Slive wrote:


> No that's not true.  Group protection "require group" is just a short form
> for "require user usera userb userc ...".  So they do not all share the
> same password, but you do still have the problems discussed below.
>
Thanks for clearing that up.


> I think I understand now.  This is a very basic, but difficult to solve
> problem.  Sharing a single password is always easier, but can lead to
> significant security problems, especially when one service (http) has
> significantly weaker security protections than the others.  There is no
> real way to avoid this.  Either you suffer the security consequences, or
> you suffer the inconvenience of multiple passwords.
> 
> If you want to go the multiple passwords route, then you can make your
> life slightly easier by using a CGI script to allow your users to change
> their own password from the web.
> 
> But to be frank, as long as this is a tightly restricted internal network,
> and as long as the web data and the stuff on the samba shares have
> approximately the same security sensitivity, I'd be tempted to just go
> ahead and use mod_auth_pam.  I'd consider putting it under mod_ssl to at
> least avoid plain-text passwords.
> 
> Joshua.
> 

Can you suggest resource for reseachign CGI scripts? I know next to 
nothing about implementing them.

I will also take another look at mod_auth_pam. Maybe I will have better 
luck this time. Thanks again.

-- 

regards,

shane

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[Joshua Slive <jo...@slive.ca>]

On Wed, 10 Dec 2003, shane c branch wrote:
> This website contains confidential data and must be passworded. Each
> individual must have his own ID and password, so that audits can be
> conducted against each ID. From what I know of Apache I can protect the
> data by group using .htaccess files. But this solution means that
> everyone in the group will use the same password, which violates
> corporate security guidelines.

No that's not true.  Group protection "require group" is just a short form
for "require user usera userb userc ...".  So they do not all share the
same password, but you do still have the problems discussed below.

> I can use the .htaccess to authorize users individually, but doing so
> (as I read the documentation) means that as the admin I must maintain
> each individual's password, since they will not have the permission to
> change it from a default setup password. I have no desire to maintain
> the passwords for all the users. I want to be able to give them an
> account on the linux box, with a default password which they must change
> at first usage, which will allow users access to both the web data and
> the samba shares.
>
> I found the mod_auth_pam module when I first attempted this a few months
> ago, but given the security risk you pointed out, if there is another
> way to accomplish what I need, I would prefer to explore it.

I think I understand now.  This is a very basic, but difficult to solve
problem.  Sharing a single password is always easier, but can lead to
significant security problems, especially when one service (http) has
significantly weaker security protections than the others.  There is no
real way to avoid this.  Either you suffer the security consequences, or
you suffer the inconvenience of multiple passwords.

If you want to go the multiple passwords route, then you can make your
life slightly easier by using a CGI script to allow your users to change
their own password from the web.

But to be frank, as long as this is a tightly restricted internal network,
and as long as the web data and the stuff on the samba shares have
approximately the same security sensitivity, I'd be tempted to just go
ahead and use mod_auth_pam.  I'd consider putting it under mod_ssl to at
least avoid plain-text passwords.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[shane c branch <sc...@barton.edu>]

Joshua Slive wrote:

> On Wed, 10 Dec 2003, shane c branch wrote:
> 
> 
>> >I don't know about anyone else, but I can't parse these paragraphs.
>> >What's with the weird <input thing?
>> >
>> >In any case, you might want to read
>> >http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
>> >before you go any further.
>>
>>
>>Apologies to those on list for the garbled email. the web mail service
>>claimed to be operating in plain text mode, which it clearly was not. I
>>don't know what caused the garbled text. I changed the subscription
>>address to prevent this in the future.
>>
>>Joshua, thanks for the link. I do not recall seeing that 'warning' when
>>researching this problem the first time.
>>
>>This website will be for use on the corporate intranet only, I do not
>>want that kind of security risk. What other solutions are available?
> 
> 
> I haven't yet clearly understood the problem for which you are looking for
> a solution.  If you can live with the security consequences, there are
> various third-party modules like mod_auth_smb, mod_auth_pam,
> mod_auth_external, etc, that can do http auth from a system password
> database.
> 
> JOshua.
> 
>
> 
Okay, I will try to be more clear.

This website contains confidential data and must be passworded. Each 
individual must have his own ID and password, so that audits can be 
conducted against each ID. From what I know of Apache I can protect the 
data by group using .htaccess files. But this solution means that 
everyone in the group will use the same password, which violates 
corporate security guidelines.

I can use the .htaccess to authorize users individually, but doing so 
(as I read the documentation) means that as the admin I must maintain 
each individual's password, since they will not have the permission to 
change it from a default setup password. I have no desire to maintain 
the passwords for all the users. I want to be able to give them an 
account on the linux box, with a default password which they must change 
at first usage, which will allow users access to both the web data and 
the samba shares.

I found the mod_auth_pam module when I first attempted this a few months 
ago, but given the security risk you pointed out, if there is another 
way to accomplish what I need, I would prefer to explore it.

-- 

regards,

shane

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: how to pw website and synch with samba and system pw?

[Joshua Slive <jo...@slive.ca>]

On Wed, 10 Dec 2003, shane c branch wrote:

>  >I don't know about anyone else, but I can't parse these paragraphs.
>  >What's with the weird <input thing?
>  >
>  >In any case, you might want to read
>  >http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
>  >before you go any further.
>
>
> Apologies to those on list for the garbled email. the web mail service
> claimed to be operating in plain text mode, which it clearly was not. I
> don't know what caused the garbled text. I changed the subscription
> address to prevent this in the future.
>
> Joshua, thanks for the link. I do not recall seeing that 'warning' when
> researching this problem the first time.
>
> This website will be for use on the corporate intranet only, I do not
> want that kind of security risk. What other solutions are available?

I haven't yet clearly understood the problem for which you are looking for
a solution.  If you can live with the security consequences, there are
various third-party modules like mod_auth_smb, mod_auth_pam,
mod_auth_external, etc, that can do http auth from a system password
database.

JOshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org