Re: Password file

From: David Luyer <luyer@dont-contact.us>
Date: Thu, 01 Jul 1999 22:37:30 +0800

> I am using /etc/password to authenticate users on my system.
>
> This is a major security risk. Can someone tell me if there is any other
> way of authnticating the users ?

You can authenticate them by any unix-format password file, including those
generated by Apache's htpasswd.

If you don't like using /etc/passwd since this lets anyone try and access
your system and use this as a check of a password, you can reduce the systems
from which people can log in by permitting only a certain list of IPs to even
try to authenticate.

You should detail which particular security risk you find unacceptable if you
want a suggestion about how to fix it.

Possible security risks include making it possible for the world to test a
username/password pair, insufficient logging of failed authentication,
possibility of username/password showing up in network sniffer (only
relevant to insecure networks and where all other traffic is encrypted,
otherwise you're not introducing any new security problem), and so on.

In many cases, proxy auth like this adds very little security risk, if any,
over the existing level of risk.

David.
Received on Thu Jul 01 1999 - 08:35:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:16 MST