From owner-freebsd-questions  Thu Jun 11 07:35:08 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA27681
          for freebsd-questions-outgoing; Thu, 11 Jun 1998 07:35:08 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cray-ymp.acm.vt.edu (cray-ymp.acm.vt.edu [128.173.43.251])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA27645
          for <freebsd-questions@FreeBSD.ORG>; Thu, 11 Jun 1998 07:34:59 -0700 (PDT)
          (envelope-from dhagan@acm.vt.edu)
Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253])
	by cray-ymp.acm.vt.edu (8.8.8/8.8.8) with SMTP id KAA29184;
	Thu, 11 Jun 1998 10:36:16 -0400 (EDT)
	(envelope-from dhagan@acm.vt.edu)
Date: Thu, 11 Jun 1998 10:33:54 -0400 (EDT)
From: Daniel Hagan <dhagan@acm.vt.edu>
To: "Abraham J. Stephens" <stephea@aasis.albany-academy.org>
cc: Britney Macklem <bmacklem@tacnet.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: Password protection
In-Reply-To: <Pine.BSF.3.95q.980610183938.11545A-100000@aasis.albany-academy.org>
Message-ID: <Pine.BSF.3.96.980611103042.27245B-100000@cowpie.acm.vt.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 10 Jun 1998, Abraham J. Stephens wrote:

> > To have users enter their own username and password requires a bit of cgi
> > programming (to the best of my knowledge, maybe there's a package out
> > there that does it for you).  Shouldn't be too terribly hard though.
> 
> 	You can do it with CGI, but there is a mod_auth_external module
> out there for apache.  With it you can write a script to check users off
> your system passwd database.

Assuming you mean /etc/passwd, this is probably not a good idea.  It
allows a person to hammer your passwd file guessing the root password.
HTTP has no login failure logs, nor time-outs and such that are provided
by login.  I believe there is an article to this effect on the apache
website somewhere.

> 	If you want to be really safe you might look into a web server
> that can handle SSL.
> 

An excellent suggestion, isn't there an apacheSSL out there?

Daniel

-----
Daniel Hagan               http://www.acm.vt.edu/~dhagan           Head Admin
dhagan@acm.vt.edu                                                   ACM at VT 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message