[4537] in WWW Security List Archive
Re: Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (David Pratt)
Thu Feb 20 15:54:49 1997
Date: Thu, 20 Feb 1997 11:18:15 -0600
From: David Pratt <dpratt@msc.edu>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brian W. Spolarich wrote:
> ... Much deleted ...
> What I would seriously recommend is that you inform your users that
> they're going to have to authenticate to the web server in order to access
> certain resources, and use HTTP Basic authentication.
Up to this point, I wholeheartedly agreed. And then came ...
> One nice thing you
> can do is if you're using typicial Unix authentication (passwd files or
> NIS/NIS+) is that you can take the contents of the Unix password file (or
> a subset) and use that as the authentication database for your web server.
> This means that the users will have to type in a username/password to
> access the web server (or a subset of resources), but it will be the same
> username/password that they use to log on all the time.
>
> Its not the most elegant solution in the world, but it works. There's
> the whole issue of passwords in the clear, but most people still telnet to
> Unix boxes these days, so what are you going to do?
Ouch. This is not a good practice. Though it is true that telnet/ftp
send
passwords essentially clear text across the net, they do so only once
per
session. Conversely, with HTTP Basic authentication, your browser
resends
the password EVERY time you access a protected document. By matching
your
UNIX and WWW passwords, you greatly increase the possibility of a hacker
gaining access to your UNIX account.
--
Dave Pratt
dpratt@msc.edu (612)337-3534
Minnesota Supercomputer Center Inc.
Graphics and Visualization Group
