[2916] in WWW Security List Archive
S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (LAI CHACK AN ITSC NCS)
Tue Sep 10 23:00:09 1996
From: LAI CHACK AN ITSC NCS <calai@ncspo3.ncs.com.sg>
To: "'Brian W. Spolarich'" <briansp@ans.net>
Cc: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Wed, 11 Sep 96 09:22:00 PDT
Errors-To: owner-www-security@ns2.rutgers.edu
The basic authentication mechanism of HTTP protocol is fine except that
it sends the password over the wire in the clear and would make it
vulnerable for sniffers. Hence I was just wondering if you know of any
initiatives/product that allows s/key authentication access for web
pages.. I've seen implementations of JAVA S/key calculators around the
web and was just curious to find out if anyone has integrated it into a
S/KEY authentication mechanism for web pages?
Charles Lai
----------
From: Brian W. Spolarich[SMTP:briansp@ans.net]
Sent: Tuesday, September 10, 1996 2:26 AM
To: Benjamin Suto
Cc: 'www-security@ns2.rutgers.edu'
Subject: Re: your mail
Benjamin, this is generally a pretty basic feature of most HTTP
servers.
The implementation of access controls varies greatly depending on your
server. Under Apache and other NCSA variants this is accomplished via
the
access.conf file. Under the Netscape Enterprise server, this is
accomplished via the Admin interface (as are most things). WN, on the
other hand, is a completely different beast altogether. Don't ask me
about IIS...I don't know. :-]
RTFM on your server to find out how to do this for your particular
product. You're looking for how to set up "Access Controls" or something
similar.
The authentication that we're talking about here is accomplished via
the
Basic authentication method which is part of the HTTP/1.0 protocol
specification (sometimes referred to as "HTTP Basic"). This
authentication method is built in to all current releases of any
reasonable Web client.
-brian
On Mon, 9 Sep 1996, Benjamin Suto wrote:
> I know this has been asked before, so I'll be quick.
>
> Does anyone know any resources for finding information on password
> protection certain web pages? For example, if a site tries to access a
> certain web page, or any web pages under it, a prompt would show up
> asking for a username and/or password.
>
> My company wants to restrict certain information from the rest of the
> Internet, but still allow our clients to access it.
>
> If anyone has any information as to how to do this, please send it to
me.
>
> Thanks,
>
> Ben
>
>
--
Brian W. Spolarich - ANS - briansp@ans.net - (313)677-7311
Look both ways before crossing the Net.
