[4515] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Jim Harmon)
Wed Feb 19 20:56:25 1997
Date: Wed, 19 Feb 1997 17:14:14 -0500
From: Jim Harmon <jim@telecnnct.com>
To: Jeremey Barrett <jeremey@veriweb.com>
Cc: daver@idiom.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jeremey Barrett wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Well... no. First, a web browser _cannot_ set environment variables
> for a CGI, only a server can (it's the server doing the exec()-ing).
> Second, $REMOTE_USER holds the value of the username given via
> authentication, i.e. a WWW-Authenticate: header and response.
> So the server may or may not set $REMOTE_USER. It will set it if
> the user has been authenticated.
This is what's confusing me...
The users are on the same system as the server. In my case, my personal
account is on Server B and the CGI is running on server A. The other
users are actually logged and funning their browsers on server A.
For all intents and purposes the clients and server should be the same
system... for our setup on this problem.
> Finding out the user's login on _his_ system requires an ident query,
> sent by the web server to the identd daemon on the user's machine.
> This is sent to a CGI in $REMOTE_IDENT, and should _not_ be used
> as the basis for authentication, as 1) it is trivially faked, and 2)
> most machines (especially windoze), do not run identd daemons.
Ok, since we're on an Intranet, and this server is not visible to the
Internet, and because most of the users are on the server itself, I'm
having trouble seeing where "$REMOTE_anything" will work, even with
identd running. Am I just being flakey on this issue?
> As far as "Real Name", you might want to investiate using X.509
> certificates as your authentication mechanism, which will allow
> you to put some reasonable information in the certificate.
> XCert (www.xcert.com) is doing this stuff, as are others.
Is it really necessary inside a closed system to use certs?
I know this is rather petty of an issue, but I have users who are very
set in how they work. The additional login to access our web server
would not sit well with most of them, but I can see benefits with that
in place. Primarily that we're starting to think about letting some
power users and administrative staff do take-home work.
Authentication is absolutley necessary in that regard, so moving that
direction in general will probably ease the case for allowing the
piercing of our access envelope.
Thanks everyone so far, I haven't replied to all responces, and I will
post a summary by monday (2/24).
=-----------------------------------------------------------------------=
> Jeremey Barrett VeriWeb Internet Corp.
> Crypto, Ecash, Commerce Systems http://www.veriweb.com/
>
> PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
> =-----------------------------------------------------------------------=
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
>
> iQCVAwUBMws7li/fy+vkqMxNAQHcEgP/cjRrwlAt41EEUBG8xXzl/5K1RgqEX2Zi
> VFD7hMerGfZDUzOx9fa5yGwaJktmDKjL911DIA53wgPpebhO4P4zXhwNTTLzPQQx
> PloxEsnqoCS88Zhd2XTD+h8f0FfSplCzZLzrsbfa9GXyUMorXMVhTmc8mZgE8rx6
> yANNjd5CCgg=
> =z0jd
> -----END PGP SIGNATURE-----
--
Jim Harmon The Telephone Connection
jim@telecnnct.com Rockville, Maryland
