From owner-freebsd-isp  Tue Apr  6 22:53:35 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from enya.clari.net.au (enya.clari.net.au [203.8.14.116])
	by hub.freebsd.org (Postfix) with ESMTP id 9A0FF14DCB
	for <freebsd-isp@freebsd.org>; Tue,  6 Apr 1999 22:53:26 -0700 (PDT)
	(envelope-from danny@enya.clari.net.au)
Received: from localhost (danny@localhost)
	by enya.clari.net.au (8.9.2/8.8.7) with ESMTP id PAA64358;
	Wed, 7 Apr 1999 15:50:56 +1000 (EST)
	(envelope-from danny@enya.clari.net.au)
Date: Wed, 7 Apr 1999 15:50:56 +1000 (EST)
From: "Daniel O'Callaghan" <danny@hilink.com.au>
To: "W. Reilly Cooley" <wcooley@nakedape.navi.net>
Cc: freebsd-isp@freebsd.org
Subject: Re: Web Based Script
In-Reply-To: <Pine.LNX.4.10.9903292024350.26067-100000@rheingold>
Message-ID: <Pine.BSF.4.10.9904071543390.54455-100000@enya.clari.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Mon, 29 Mar 1999, W. Reilly Cooley wrote:
> I've considered a web-based interface for users to modify their
> configurations (mail forwarding, etc), but giving users access using their
> UNIX passwords through a web interface is a /big/ security hole.  See
> http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation.
> This might be reasonable, if, for example, you only permit access from
> within your net block.  But even then it's sketchy...

No more problematic than POP, and at least with web you can do it via SSL
using https rather than plaintext http.

Apache won't read /etc/master.password as a .htpasswd file, but it is easy
to perl/awk out the first two fields into a separate .htpasswd file.
While you are at it, only put dialup users' names/passwords into the
.htpasswd file, so that staff/admin accounts passwords are not available
for probing.

Something like the script below, which can be run every 15 minutes from
cron, to keep it up to date.

Danny

#!/usr/bin/perl

open( M, "/etc/master.passwd");
open( N, "> /var/db/ht.passwd.new");
chmod 0640, "/var/db/ht.passwd.new";


# Assumes general users have uid 5000-9999
while(<M>)  {
        ($uname, $passwd, $uid, $gid, $class) = split (':');
        print U "$uname:$passwd\n" if( $uid >= 5000 && $uid < 10000);
}

rename("/var/db/ht.passwd.new", "/var/db/ht.passwd");




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message