From owner-freebsd-security  Fri Jul 12 16:16:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4508F37B400
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Jul 2002 16:16:55 -0700 (PDT)
Received: from mail.npubs.com (npubs.com [207.111.208.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB63243E31
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Jul 2002 16:16:54 -0700 (PDT)
	(envelope-from nielsen@memberwebs.com)
From: "Nielsen" <nielsen@memberwebs.com>
To: <freebsd-security@FreeBSD.ORG>, "Steve" <sprasadi@addr.com>
References: <5.1.0.14.0.20020712114822.00ba8a20@localhost>
Subject: Re: plain text passwords
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20020712231747.6EFBB43B396@mail.npubs.com>
Date: Fri, 12 Jul 2002 23:17:47 +0000 (GMT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

You should use an authentication module that uses hashed passwords.

And secondly you usually shouldn't authenticate against the system
passwords. But if you have to, try to find a solution that doesn't give the
the apache user (www, or nobody or whatever) read access to your shaddow
passwords.

One thing I used which worked well was the cyrus-sasl pwcheck daemon. Apache
has a module which authenticates against it. The pwcheck daemon runs as
root, relieving apache of the above need.

Cheers,

Nate

----- Original Message -----
From: "Steve" <sprasadi@addr.com>
To: <freebsd-security@FreeBSD.ORG>
Sent: Friday, July 12, 2002 0:21
Subject: plain text passwords


> Hi all,
>
> I need to have plain text passwords in /etc/passwd. How can I get it? I
> need this for password protecting a web directory using /etc/passwd
>
> Thanks,
>
> Steve
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message