You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by shane c branch <sc...@barton.edu> on 2003/12/10 18:57:55 UTC
[users@httpd] Re: how to pw website and synch with samba and system pw?
>I don't know about anyone else, but I can't parse these paragraphs.
>What's with the weird <input thing?
>
>In any case, you might want to read
>http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
>before you go any further.
Apologies to those on list for the garbled email. the web mail service
claimed to be operating in plain text mode, which it clearly was not. I
don't know what caused the garbled text. I changed the subscription
address to prevent this in the future.
Joshua, thanks for the link. I do not recall seeing that 'warning' when
researching this problem the first time.
This website will be for use on the corporate intranet only, I do not
want that kind of security risk. What other solutions are available?
--
regards,
shane
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by shane c branch <sc...@barton.edu>.
Joshua Slive wrote:
> On Wed, 10 Dec 2003, Joshua Slive wrote:
>
>>security wholes.
>
>
> Did I every mention I'm a great speler?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
heh. actually, i think that's what mucked up my first post on this
subject. the spell checker from that webmail account.
--
regards,
shane
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 10 Dec 2003, Joshua Slive wrote:
> security wholes.
Did I every mention I'm a great speler?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and system pw?
Posted by joe angth <jo...@yahoo.com>.
Depending on what system you are using, there are a couple of ways. I know of a great program for OpenBSD, mod_auth_bsd, http://www.25thandclement.com/~william/projects/bsdauth.html. There are simialar ways to do things on a linux box.
-Joe
Joshua Slive <jo...@slive.ca> wrote:
On Wed, 10 Dec 2003, shane c branch wrote:
> Can you suggest resource for reseachign CGI scripts? I know next to
> nothing about implementing them.
Well, a sample script that can be used for this purpose is at
http://home.xnet.com/~efflandt/pub/htpasswd.pl
It is written by a generally trustworthy person, but you should be very
cautious about using cgi scripts that you find on the web, since many of
them have security wholes.
General information about CGI and apache can be found here:
http://httpd.apache.org/docs-2.0/howto/cgi.html
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 10 Dec 2003, shane c branch wrote:
> Can you suggest resource for reseachign CGI scripts? I know next to
> nothing about implementing them.
Well, a sample script that can be used for this purpose is at
http://home.xnet.com/~efflandt/pub/htpasswd.pl
It is written by a generally trustworthy person, but you should be very
cautious about using cgi scripts that you find on the web, since many of
them have security wholes.
General information about CGI and apache can be found here:
http://httpd.apache.org/docs-2.0/howto/cgi.html
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by shane c branch <sc...@barton.edu>.
Joshua Slive wrote:
> No that's not true. Group protection "require group" is just a short form
> for "require user usera userb userc ...". So they do not all share the
> same password, but you do still have the problems discussed below.
>
Thanks for clearing that up.
> I think I understand now. This is a very basic, but difficult to solve
> problem. Sharing a single password is always easier, but can lead to
> significant security problems, especially when one service (http) has
> significantly weaker security protections than the others. There is no
> real way to avoid this. Either you suffer the security consequences, or
> you suffer the inconvenience of multiple passwords.
>
> If you want to go the multiple passwords route, then you can make your
> life slightly easier by using a CGI script to allow your users to change
> their own password from the web.
>
> But to be frank, as long as this is a tightly restricted internal network,
> and as long as the web data and the stuff on the samba shares have
> approximately the same security sensitivity, I'd be tempted to just go
> ahead and use mod_auth_pam. I'd consider putting it under mod_ssl to at
> least avoid plain-text passwords.
>
> Joshua.
>
Can you suggest resource for reseachign CGI scripts? I know next to
nothing about implementing them.
I will also take another look at mod_auth_pam. Maybe I will have better
luck this time. Thanks again.
--
regards,
shane
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 10 Dec 2003, shane c branch wrote:
> This website contains confidential data and must be passworded. Each
> individual must have his own ID and password, so that audits can be
> conducted against each ID. From what I know of Apache I can protect the
> data by group using .htaccess files. But this solution means that
> everyone in the group will use the same password, which violates
> corporate security guidelines.
No that's not true. Group protection "require group" is just a short form
for "require user usera userb userc ...". So they do not all share the
same password, but you do still have the problems discussed below.
> I can use the .htaccess to authorize users individually, but doing so
> (as I read the documentation) means that as the admin I must maintain
> each individual's password, since they will not have the permission to
> change it from a default setup password. I have no desire to maintain
> the passwords for all the users. I want to be able to give them an
> account on the linux box, with a default password which they must change
> at first usage, which will allow users access to both the web data and
> the samba shares.
>
> I found the mod_auth_pam module when I first attempted this a few months
> ago, but given the security risk you pointed out, if there is another
> way to accomplish what I need, I would prefer to explore it.
I think I understand now. This is a very basic, but difficult to solve
problem. Sharing a single password is always easier, but can lead to
significant security problems, especially when one service (http) has
significantly weaker security protections than the others. There is no
real way to avoid this. Either you suffer the security consequences, or
you suffer the inconvenience of multiple passwords.
If you want to go the multiple passwords route, then you can make your
life slightly easier by using a CGI script to allow your users to change
their own password from the web.
But to be frank, as long as this is a tightly restricted internal network,
and as long as the web data and the stuff on the samba shares have
approximately the same security sensitivity, I'd be tempted to just go
ahead and use mod_auth_pam. I'd consider putting it under mod_ssl to at
least avoid plain-text passwords.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by shane c branch <sc...@barton.edu>.
Joshua Slive wrote:
> On Wed, 10 Dec 2003, shane c branch wrote:
>
>
>> >I don't know about anyone else, but I can't parse these paragraphs.
>> >What's with the weird <input thing?
>> >
>> >In any case, you might want to read
>> >http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
>> >before you go any further.
>>
>>
>>Apologies to those on list for the garbled email. the web mail service
>>claimed to be operating in plain text mode, which it clearly was not. I
>>don't know what caused the garbled text. I changed the subscription
>>address to prevent this in the future.
>>
>>Joshua, thanks for the link. I do not recall seeing that 'warning' when
>>researching this problem the first time.
>>
>>This website will be for use on the corporate intranet only, I do not
>>want that kind of security risk. What other solutions are available?
>
>
> I haven't yet clearly understood the problem for which you are looking for
> a solution. If you can live with the security consequences, there are
> various third-party modules like mod_auth_smb, mod_auth_pam,
> mod_auth_external, etc, that can do http auth from a system password
> database.
>
> JOshua.
>
>
>
Okay, I will try to be more clear.
This website contains confidential data and must be passworded. Each
individual must have his own ID and password, so that audits can be
conducted against each ID. From what I know of Apache I can protect the
data by group using .htaccess files. But this solution means that
everyone in the group will use the same password, which violates
corporate security guidelines.
I can use the .htaccess to authorize users individually, but doing so
(as I read the documentation) means that as the admin I must maintain
each individual's password, since they will not have the permission to
change it from a default setup password. I have no desire to maintain
the passwords for all the users. I want to be able to give them an
account on the linux box, with a default password which they must change
at first usage, which will allow users access to both the web data and
the samba shares.
I found the mod_auth_pam module when I first attempted this a few months
ago, but given the security risk you pointed out, if there is another
way to accomplish what I need, I would prefer to explore it.
--
regards,
shane
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: how to pw website and synch with samba and
system pw?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 10 Dec 2003, shane c branch wrote:
> >I don't know about anyone else, but I can't parse these paragraphs.
> >What's with the weird <input thing?
> >
> >In any case, you might want to read
> >http://httpd.apache.org/docs/misc/FAQ.html#passwdauth
> >before you go any further.
>
>
> Apologies to those on list for the garbled email. the web mail service
> claimed to be operating in plain text mode, which it clearly was not. I
> don't know what caused the garbled text. I changed the subscription
> address to prevent this in the future.
>
> Joshua, thanks for the link. I do not recall seeing that 'warning' when
> researching this problem the first time.
>
> This website will be for use on the corporate intranet only, I do not
> want that kind of security risk. What other solutions are available?
I haven't yet clearly understood the problem for which you are looking for
a solution. If you can live with the security consequences, there are
various third-party modules like mod_auth_smb, mod_auth_pam,
mod_auth_external, etc, that can do http auth from a system password
database.
JOshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org