You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@avron.ICS.UCI.EDU> on 1995/05/08 10:23:06 UTC
Re: Patch to allow use of password file as auth DB (from USENET)
> What his patch does is permit people to say "AuthUserFile +" and then
> it will allow the use of NIS to find username-password information
> instead of special password files for httpd.
Ummmm, just to pick a little nit, this is a really bad idea from
the point of security. The Basic AA is bad enough, but to encourage
users to pass their real system passwords through HTTP en claire is
quite irresponsible.
.....Roy
Re: Patch to allow use of password file as auth DB (from USENET)
Posted by Brian Behlendorf <br...@organic.com>.
On Mon, 8 May 1995, Roy T. Fielding wrote:
> > What his patch does is permit people to say "AuthUserFile +" and then
> > it will allow the use of NIS to find username-password information
> > instead of special password files for httpd.
>
> Ummmm, just to pick a little nit, this is a really bad idea from
> the point of security. The Basic AA is bad enough, but to encourage
> users to pass their real system passwords through HTTP en claire is
> quite irresponsible.
I would agree. Include the patch in /contrib, maybe, but let's not
encourage that, at least until we've done the dirty work and put in
message-digest authentication.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/