[TriLUG] apache passwd management strategies (subversion)

Rick DeNatale rick.denatale at gmail.com
Thu Sep 22 16:58:11 EDT 2005


On 9/22/05, Timothy Chagnon <tachagnon at gmail.com> wrote:
> Since apache2 or thereabouts, htpasswd entries can use MD5 hashes just
> like the /etc/shadow file.  And they're both colon delimited, so you
> just need to take the first two columns from the shadow file.

To do this you need to use mod_auth_digest, but first read the caveats
in the documentation:
http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html

It's still considered experimental, and as of the writing of the doc,
not all browsers supported it, but the ones that don't are mostly
little known ones like something called Internet Explorer <G>.

You might also consider the security of http authentication passwords
before deciding to make it a policy to share logon and http
authentication passwords. RFC2617 describes the HTTP digest
authorization protocol, and reading the security considerations
section is enlightening. While the digest method does prevent
passwords from being sent in the clear, it does little to strengthen
defenses against well known attacks.  AND Apache's mod_auth_digest
only implements a watered down version of RFC2517 since it doesn't
provide a way to use the limited-time nonce values specified in the
RFC to salt the hashes used.

http://ftp.ics.uci.edu/pub/ietf/http/rfc2617.txt

So it looks to me that using user passwords for http authentication
over the internet is more likely to expose those passwords.  If you
are going to do it, I'd recommend not running a telnet daemon (which
you shouldn't be doing any) and if you are running an ssh daemon, to
configure it to use pub key authentication and NOT to allow password
authentication.
--
Rick DeNatale

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/



More information about the TriLUG mailing list