From owner-freebsd-isp  Wed Apr  7 10:14:53 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from arnold.neland.dk (mail.neland.dk [194.255.12.232])
	by hub.freebsd.org (Postfix) with ESMTP id 3771F14D37
	for <freebsd-isp@FreeBSD.ORG>; Wed,  7 Apr 1999 10:14:25 -0700 (PDT)
	(envelope-from leifn@neland.dk)
Received: from localhost (localhost [127.0.0.1])
	by arnold.neland.dk (8.9.3/8.9.3) with ESMTP id TAA73209;
	Wed, 7 Apr 1999 19:11:02 +0200 (CEST)
	(envelope-from leifn@swimsuit.internet.dk)
Date: Wed, 7 Apr 1999 19:11:02 +0200 (CEST)
From: Leif Neland <leifn@neland.dk>
X-Sender: leifn@arnold.neland.dk
To: "Daniel O'Callaghan" <danny@hilink.com.au>
Cc: "W. Reilly Cooley" <wcooley@nakedape.navi.net>,
	freebsd-isp@FreeBSD.ORG
Subject: Re: Web Based Script
In-Reply-To: <Pine.BSF.4.10.9904071543390.54455-100000@enya.clari.net.au>
Message-ID: <Pine.BSF.4.05.9904071905530.72972-100000@arnold.neland.dk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Wed, 7 Apr 1999, Daniel O'Callaghan wrote:

> 
> 
> On Mon, 29 Mar 1999, W. Reilly Cooley wrote:
> > I've considered a web-based interface for users to modify their
> > configurations (mail forwarding, etc), but giving users access using their
> > UNIX passwords through a web interface is a /big/ security hole.  See
> > http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation.
> > This might be reasonable, if, for example, you only permit access from
> > within your net block.  But even then it's sketchy...
> 
> No more problematic than POP, and at least with web you can do it via SSL
> using https rather than plaintext http.
> 
At least POP puts a delay between the bad logins, which slows
password guessing down.

Leif





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message