From owner-freebsd-security  Wed Jun 13 10:23: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 2AE6337B403
	for <freebsd-security@FreeBSD.ORG>; Wed, 13 Jun 2001 10:22:55 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GEVPLG00.0Z2; Wed, 13 Jun 2001 10:22:28 -0700 
Message-ID: <3B27A16C.32BAF75E@globalstar.com>
Date: Wed, 13 Jun 2001 10:22:52 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Brendan Murphy <bmurphy@carbon.cudenver.edu>
Cc: Evren Yurtesen <yurtesen@ispro.net.tr>,
	Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	Jamie Norwood <mistwolf@mushhaven.net>, freebsd-security@FreeBSD.ORG
Subject: Re: HTTP and FTP
References: <Pine.OSF.4.31.0106130944450.11114-100000@carbon.cudenver.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Brendan Murphy wrote:
> 
> On Tue, 12 Jun 2001, Crist Clark wrote:
> 
> > Evren Yurtesen wrote:
> > >
> > > I wonder if it is possible in HTTP to make users login to their home dirs
> > > automaticly and when they put files it goes in with their uid,gid and of
> > > course they will login with their own passwords? etc. =)
> >
> > It should not be terribly difficult.
> 
> It should (obviously) go without saying that you should _NOT_ use
> /etc/passwd or the like as a basis for your authentication.

With most current HTTP servers, something like a htpasswd file is already
more common. However, if we are comparing to FTP, many FTP daemons, the
ftpd(8) with FreeBSD included, only use /etc/passwd, system users, for
authentication. In that case, why would using /etc/passwd be so much
worse than the status quo? FTP only passes the password across the
Internet in cleartext once per control session whereas you'd be doing 
it with every request in HTTP, but then again, HTTP over SSL is well
established and standardized. FTP over SSL is a PITA for a lot of the 
same reasons FTP is a pain through firewalls (which was the genesis of
this flam^H^H^H^H^H long thread).
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message