[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: About a Config file on a UNIX server

To: akao@MIT.EDU (Ang-Chih Kao)
Subject: Re: About a Config file on a UNIX server
From: jproy@world.std.com (John P Roy)
Date: Wed, 11 Nov 1998 16:00:14 -0500 (EST)
Cc: pi3-users@johnroy.com
In-Reply-To: <9810290017.AA21466@MIT.MIT.EDU> from "Ang-Chih Kao" at Oct 28, 98 07:17:27 pm

One thing I think is real import to note here, particularly when
it comes to passwords. UNIX systems ship with a useful library function
called 'crypt()', without going into details this is a one-way-hash, -
its computationally extremely expensive to reverse a one-way-hash so
passwords can be stored in world readable files (such as /etc/passwd)
without great security risk. UNIX webservers follow this convention and
you will see that the base64 encoding of user password in many htpasswd
and other files use crypt().

Now enter windows NT. No crypt(). The apache team choose to just 
store passwords in base64 format (effectively plain text) in thier
windows ports. I figured *what-the-hell* and did this also in Pi3Web.
It should be clearly understood that this is not the slightest bit 
secure. The same way that using a username/password pair for
basic authentication under http (as opposed to https) is also not
secure.

Later,
John

> 
> Hi,
> 
> So, why not just create a CGI that takes the form input (since you do need
> a CGI to do this, anyways) that justs adds that line in?  For most standard
> password files, the password is encrypted using Base64, atleast Pi3 is.
> And I think the Linux password files are also.
> 
> Is that your question?  Or are you asking whether or not such a cgi exists?
>  I'm sure one exists. But it might be easier to just write your own
> (probably fastest with perl).
> 
> At 12:13 PM 10/28/98 -0800, Brian Loss wrote:
> >THIS IS NOT RELATED TO THE PI3WEB SERVER, but I have a profile on a unix 
> >server that has a basic user authentication thing that could be used. I 
> >used it perfectly, but I would like to have a cgi script that could add 
> >a username and an encrypt a password for the .NSCONFIG file.
> >In terms: If someone would like to visit my site(that included CGI 
> >capabilitys) and someone would like to join my site, by a 
> >membership(free) they fillout a form, then they have access to your 
> >protected items.
> >example of a password file:
> >brian:(encryped password)
> >     ^----- Seperator
> >
> >My site is at: http://www.come.to/h14me
> >
> >______________________________________________________
> >Get Your Private, Free Email at http://www.hotmail.com
> > 
>

References:
- Re: About a Config file on a UNIX server
  - From: Ang-Chih Kao <akao@MIT.EDU>

Prev by Date: CGI-Perl Scripting
Next by Date: Re: why is SSI not running?
Prev by thread: Re: About a Config file on a UNIX server
Next by thread: Sub-Domains
Index(es):
- Date
- Thread