On Fri, Oct 15, 1999 at 08:02:29AM +0100, Jason Thompson wrote:
> I am in the process of setting up a squid cache at a school where I work. We
> need to have passwords protecting Internet access. Our first idea is to
> create all the users on the cache box using the standard add user program.
> Then use squid to check that when authenticating people.
>
> Is this possible, and is it a good idea to do this?
It's very possible, but not recommended.
> Users do not log in to the machine, so the passwd file will not be used for
> anything else. Apart from the obvious root access.
The problem is (1) root access - you're making it simpler to do the
obvious brute-force attacks on the root password - and (2) the
possiblity that someone *will* find an unexpected way to log into the
machine once they're in the password file. (If not for shell access,
then for FTP, or some other later-added service which defaults to
determining users from the password file.)
> We need to be able to add users, change user passwords, and delete users.
> Via the command line.
Instead, I recommend you look at the htpasswd program. That should do
exactly what you want. From man:
htpasswd [ -c ] passwdfile username
DESCRIPTION
htpasswd is used to create and update the flat-files used
to store usernames and password for basic authentication
of HTTP users. Resources available from the httpd Apache
web server can be restricted to just the users listed in
the files created by htpasswd. This program can only be
used when the usernames are stored in a flat-file. To use
a DBM database see dbmmanage.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net
"An absolute monarch would be absolutely wise and good.
But no man is strong enough to have no interest.
Therefore the best king would be Pure Chance.
It is Pure Chance that rules the Universe;
therefore, and only therefore, life is good." - AC
Received on Fri Oct 15 1999 - 13:20:28 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:55 MST