[3207] in WWW Security List Archive
Re: Login Password Setup
daemon@ATHENA.MIT.EDU (Enrico Cantu)
Fri Oct 11 10:53:04 1996
In-Reply-To: <n1367087592.81834@yes.optus.com.au>
Date: Fri, 11 Oct 1996 06:42:38 -0500
To: www-security <www-security@ns2.rutgers.edu>
From: Enrico Cantu <ecantu@uh.edu>
Cc: Paul Schaap <paul_schaap@yes.optus.com.au>
Errors-To: owner-www-security@ns2.rutgers.edu
At 10:49 AM +1000 on 10/11/96, Paul Schaap wrote:
> The issue is I have to make my site only accessable via a login/password
>and I would like the login/password to be the same as the user currently
>has for the telnet connection.
>
> I have toyed with two solutions :-
> 1) .htaccess - perfect, however problem with this is it has its own
>login/password setup, can this be circumvented <hacked> to test the telnet
>security ?
If your users have telnet (shell) accounts on the same system, then they
can see your .htaccess files. The only way around this is to have a
creative uid/gid solution with respect to the uid of the server's
process(es), which, depending on your current groups setup, may or may not
yield an acceptable number of options.
> 2) html/cgi - real easy to test the validity of the login/password but
>any user with an ounce of nouse could figure their way around the security
>!?
how? (not that it can't be done, but what were you thinking, specifically)
At least with CGI you can have the process do all sorts of
checking/logging/authenticating/reporting beyond any htpasswd-based method.
(and Apache has very nice hooks into SSL, should you wish to expand your
security further) Whether you use Perl or C, look to the getpwent() and
crypt() functions to help you with this task.
Enrico
--
Out the 10Base-T, off the bridge, round the token-ring, past the firewall,
through the router, down the T1, over the leased line ... nothing but Net.
ecantu@uh.edu http://www.bchs.uh.edu/~ecantu/ GC at chembb@menudo.uh.edu
Department of Biochemical and Biophysical Sciences, University of Houston
