|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Fri, 21 Feb 1997 09:11:04 -0500 From: Dave Kristol <dmk@bell-labs.com> To: "Brian W. Spolarich" <briansp@ans.net> Cc: www-security@ns2.rutgers.edu Errors-To: owner-www-security@ns2.rutgers.edu Brian W. Spolarich wrote: > [...] > What I would seriously recommend is that you inform your users that > they're going to have to authenticate to the web server in order to access > certain resources, and use HTTP Basic authentication. One nice thing you > can do is if you're using typicial Unix authentication (passwd files or > NIS/NIS+) is that you can take the contents of the Unix password file (or > a subset) and use that as the authentication database for your web server. > This means that the users will have to type in a username/password to > access the web server (or a subset of resources), but it will be the same > username/password that they use to log on all the time. Using Unix passwords as Basic passwords is really a *very* bad idea, especially if the system is not behind a firewall. If someone can snoop the network, they can obtain users' system passwords, log into the system itself, and wreak havoc. Basic Authentication has been recognized as a *bad thing* because of the in-the-clear passwords. HTTP/1.1 has introduced Digest Authentication (RFC 2069), which does not send passwords in the clear. Unfortunately, few browsers support it yet. So for now continue to use Basic, but require users to provide a different password from their system password. Dave Kristol
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |