Re: Apache to use FreeBSD system passwd

From: Rob Warnock (rpw3_at_rpw3.org)
Date: 08/03/04 

Date: Tue, 03 Aug 2004 04:52:31 -0500

Jean-Yves Avenard <me@privacy.net> wrote:
+---------------
| Piotr Smyrak wrote:
| > www/mod_auth_pwcheck might be useful
|
| Thank you for the hind. After hours of trying to get mod_auth_pam
| working I gave up and got mod_auth_pwcheck working almost right away.
+---------------

Be advised that unless *ALL* your pages use SSL (https:), you have just
exposed your users' login passwords to network sniffers -- including
any HTTP proxies they might be going through (say, from a hotel or
a coffee-shop hotspot) -- since HTTP Auth Basic passwords are sent
essentially in the clear. [O.k., they're BASE64 encoded, but that
encoding is well-documented and trivial to decode.]

See RFC 2617 "HTTP Authentication: Basic and Digest Access Authentication",
section 2 "Basic Authentication Scheme" and section 4.1 "Authentication
of Clients using Basic Authentication":

        The Basic authentication scheme is not a secure method of user
        authentication, nor does it in any way protect the entity[1], which
        is transmitted in cleartext across the physical network used as
        the carrier.

Because of this, it's probably better to use web passwords different
from your login passwords[2]...

-Rob

[1] The user name & password.

[2] Unless you're using other insecure remote login protocols like
    Telnet or FTP. (So don't do that: Use SSH and "scp" and/or "sftp".)

-----
Rob Warnock <rpw3@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607

Relevant Pages

  • Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS
    ... allowing an authentication cookie to be passed over an HTTP ... My login script goes into SSL just fine. ... The load balancer is maintaining server affinity. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS
    ... allowing an authentication cookie to be passed over an HTTP ... My login script goes into SSL just fine. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HTTP access and AAA.
    ... local Use local username and passwords ... > aaa authentication login default local ... > ip auth-proxy name MIA http inactivity-time 10 ... > AAA Authentication debugging is on ...
    (comp.dcom.sys.cisco)
  • Re: Pen testing techniques
    ... If the authentication is application based, you should have a look at the HTTP source code and the HTTP headers exchanged. ... I've seen "authentication" that was JavaScript based, "authtentication" that just checked for the existence of a general cookie (if "logged_in" cookie set, then login - even one: deny access if "not_authenticated" cookie is set), but also tough authentication that simply was a plain HTTP form with two text fields plus a cryptographically sound session ID. ...
    (Pen-Test)
  • Re: Persisting user login credentials across pages
    ... So you need to use Forms Authentication to authenticate a given UID and PWD ... connection string for your DB has nothing to do with this. ... Sample code requires you to have a login method on your Principal class ... > passwords on the site you recommended had passwords stored in the config ...
    (microsoft.public.dotnet.framework.aspnet)