[3219] in WWW Security List Archive
Re: Login Password Setup
daemon@ATHENA.MIT.EDU (David W. Morris)
Sat Oct 12 06:05:29 1996
Date: Sat, 12 Oct 1996 00:53:37 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: Paul Schaap <paul_schaap@yes.optus.com.au>
cc: www-security <www-security@ns2.rutgers.edu>
In-Reply-To: <n1367087592.81834@yes.optus.com.au>
Errors-To: owner-www-security@ns2.rutgers.edu
On 11 Oct 1996, Paul Schaap wrote:
> <MEGA NEWBIE MODE ON ;-) >
Well, your first learning assignment is to figure out how to send mail which
doesn't arrive as a mime attachment ... pretty please. ;-:)
>
> Hi,
>
> I run a client server unix system at a Mac site which is accessed via a Terminal Emulator - YUK. I have just started testing a Netscape implementation with ncsa httpd on a trial basis (rumor is apache is preferred ??) and need to sort out how to implement suitable security.
>
> The issue is I have to make my site only accessable via a login/password and I would like the login/password to be the same as the user currently has for the telnet connection.
>
> I have toyed with two solutions :-
> 1) .htaccess - perfect, however problem with this is it has its own login/password setup, can this be circumvented <hacked> to test the telnet security ?
> 2) html/cgi - real easy to test the validity of the login/password but any user with an ounce of nouse could figure their way around the security !?
I don't have the details, but here is a hint ... using the NSAPI, it is
possible to handle authentication within the Netscape server in lieu of
the standard file based method. You write your own authentication exit and
use whatever method makes sense. In case I'm aware of, an NSAPI exit
RPCed to another process which was running an ORACLE DB access daemon which
authenticated using the database.
I wouldn't be suprised if Apache also support such extensibility.
HOpe this gets you started.
Dave Morris
