Re: .htaccess or OS related?
On Monday 07 July 2008 14:46:47 Bill Moran wrote: > In response to "Jos Chrispijn" <[EMAIL PROTECTED]>: > > Bill, > > > > > -Original Message- > > Keep the list in the loop on replies. > > > > The algorithm is part of Apache and has little or nothing to do with > > > the OS on which it runs. > > > > I see, so .htpasswd is an Apache utility then; didn't know that. > > > > > And the encryption used to store passwords in .htaccess files is known > > > to be weak. If you need something strong, look to one of the other > > > mod_* security packages instead of .htaccess passwords. > > > > What other mod_* security package would you recommend? > > I won't _recommend_ anything. However, I will point out that there's a > mod_ldap, mod_auth_kerb, and mod_auth_pam. There are probably others > that I'm forgetting. The encryption of htpasswd files is only a concern, when: - the password databases themselves are downloadable - you have a shared host and local users have access to your password databases Using one of the modules described above, won't solve anything (as you can still store the passwords in md5 or even weaker hash) and will need support from your hosting provider. Those modules are meant to centralize user management, not to increase password encryption. If you want to improve the hash with which password are stored, then use the '-s' option to htpasswd(1), which will use SHA, rather then MD5. If you want to protect your users more, then you should use mod_auth_digest, which instructs the browser to hash it's password before sending it over the internet. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
Written by Jerry McAllister on 07/07/08 10:26>> > On Mon, Jul 07, 2008 at 02:18:49PM +0200, Jos Chrispijn wrote: > >> I ran into a problem last night that I was able to solve, but generated a >> question: >> >> I have this hosting provider (uses Debian OS) on which I can't use htpasswd >> to generate user and password to protect a single file. > > Probably was not in your path. You may have to find out where it > is and add that directory to your path or use the full pathname when > invoking it. > > >> To have this done I solved it as follows: did a htpasswd on my own server >> (FreeBSD 7) and simply copied the file with the user:password (scrambled) to >> my home directory I have with this hosting provider and referred in the >> .htaccess to it. And now comes the fun stuff: it worked without probs. >> >> >> So the algorithm that is used on FreeBSD to scramble a user password is the >> same as it is used by Debian? Isn't that a security gap? > > That is something done by Apache and is common to all implementations > unless you change it. I never looked, but I think it uses one of > the commonly use encryption algorithms, maybe even the same one > used for regular passwords. > > > jerry > > In fact it's either an Apache adaptation of MD5, SHA, plaintext, or the system's crypt(). The encryption mechanism can be specified per-user with the m,d,s, and p flags. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
On Mon, Jul 07, 2008 at 02:18:49PM +0200, Jos Chrispijn wrote: > I ran into a problem last night that I was able to solve, but generated a > question: > > I have this hosting provider (uses Debian OS) on which I can't use htpasswd > to generate user and password to protect a single file. Probably was not in your path. You may have to find out where it is and add that directory to your path or use the full pathname when invoking it. > > To have this done I solved it as follows: did a htpasswd on my own server > (FreeBSD 7) and simply copied the file with the user:password (scrambled) to > my home directory I have with this hosting provider and referred in the > .htaccess to it. And now comes the fun stuff: it worked without probs. > > > So the algorithm that is used on FreeBSD to scramble a user password is the > same as it is used by Debian? Isn't that a security gap? That is something done by Apache and is common to all implementations unless you change it. I never looked, but I think it uses one of the commonly use encryption algorithms, maybe even the same one used for regular passwords. jerry > > Jos > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: .htaccess or OS related?
> -Original Message- > Keep the list in the loop on replies. Oke, I will keep that in mind. > I won't _recommend_ anything. However, I will point out that there's a > mod_ldap, mod_auth_kerb, and mod_auth_pam. There are probably others > that I'm forgetting. I will have a look at it and start using that instead of how I do it now. Thanks for sharing, Jos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: .htaccess or OS related?
> I wonder whether the hosting provider will let the OP install > mod_whatever, even, if he could not be allowed to use htpasswd. I don't think that either, but as I have some other BSD servers myself, I really will start using this on my systems. Regarding to that provider, I will reroute the document thru my server as long as he can't provide what I am looking for. In the mean time I will discuss this issue with him. Jos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
In response to "Odhiambo Washington" <[EMAIL PROTECTED]>: > I wonder whether the hosting provider will let the OP install > mod_whatever, even, if he could not be allowed to use htpasswd. I suppose, but if the OP is concerned about the security of his data beyond what the htpasswd command can do, he probably needs to get his data off a shared host anyway. > On 7/7/08, Bill Moran <[EMAIL PROTECTED]> wrote: > > In response to "Jos Chrispijn" <[EMAIL PROTECTED]>: > > > >> I ran into a problem last night that I was able to solve, but generated a > >> question: > >> > >> I have this hosting provider (uses Debian OS) on which I can't use > >> htpasswd > >> to generate user and password to protect a single file. > >> > >> To have this done I solved it as follows: did a htpasswd on my own server > >> (FreeBSD 7) and simply copied the file with the user:password (scrambled) > >> to > >> my home directory I have with this hosting provider and referred in the > >> .htaccess to it. And now comes the fun stuff: it worked without probs. > >> > >> > >> So the algorithm that is used on FreeBSD to scramble a user password is > >> the > >> same as it is used by Debian? Isn't that a security gap? > > > > The algorithm is part of Apache and has little or nothing to do with > > the OS on which it runs. > > > > And the encryption used to store passwords in .htaccess files is known > > to be weak. If you need something strong, look to one of the other mod_* > > security packages instead of .htaccess passwords. > > > > -- > > Bill Moran > > http://www.potentialtech.com > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > -- > Sent from Google Mail for mobile | mobile.google.com > > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254733744121/+254722743223 > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > > "Oh My God! They killed init! You Bastards!" > --from a /. post > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
I wonder whether the hosting provider will let the OP install mod_whatever, even, if he could not be allowed to use htpasswd. On 7/7/08, Bill Moran <[EMAIL PROTECTED]> wrote: > In response to "Jos Chrispijn" <[EMAIL PROTECTED]>: > >> I ran into a problem last night that I was able to solve, but generated a >> question: >> >> I have this hosting provider (uses Debian OS) on which I can't use >> htpasswd >> to generate user and password to protect a single file. >> >> To have this done I solved it as follows: did a htpasswd on my own server >> (FreeBSD 7) and simply copied the file with the user:password (scrambled) >> to >> my home directory I have with this hosting provider and referred in the >> .htaccess to it. And now comes the fun stuff: it worked without probs. >> >> >> So the algorithm that is used on FreeBSD to scramble a user password is >> the >> same as it is used by Debian? Isn't that a security gap? > > The algorithm is part of Apache and has little or nothing to do with > the OS on which it runs. > > And the encryption used to store passwords in .htaccess files is known > to be weak. If you need something strong, look to one of the other mod_* > security packages instead of .htaccess passwords. > > -- > Bill Moran > http://www.potentialtech.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- Sent from Google Mail for mobile | mobile.google.com Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
In response to "Jos Chrispijn" <[EMAIL PROTECTED]>: > Bill, > > > -Original Message- Keep the list in the loop on replies. > > The algorithm is part of Apache and has little or nothing to do with > > the OS on which it runs. > > I see, so .htpasswd is an Apache utility then; didn't know that. > > > And the encryption used to store passwords in .htaccess files is known > > to be weak. If you need something strong, look to one of the other mod_* > > security packages instead of .htaccess passwords. > > What other mod_* security package would you recommend? I won't _recommend_ anything. However, I will point out that there's a mod_ldap, mod_auth_kerb, and mod_auth_pam. There are probably others that I'm forgetting. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: .htaccess or OS related?
In response to "Jos Chrispijn" <[EMAIL PROTECTED]>: > I ran into a problem last night that I was able to solve, but generated a > question: > > I have this hosting provider (uses Debian OS) on which I can't use htpasswd > to generate user and password to protect a single file. > > To have this done I solved it as follows: did a htpasswd on my own server > (FreeBSD 7) and simply copied the file with the user:password (scrambled) to > my home directory I have with this hosting provider and referred in the > .htaccess to it. And now comes the fun stuff: it worked without probs. > > > So the algorithm that is used on FreeBSD to scramble a user password is the > same as it is used by Debian? Isn't that a security gap? The algorithm is part of Apache and has little or nothing to do with the OS on which it runs. And the encryption used to store passwords in .htaccess files is known to be weak. If you need something strong, look to one of the other mod_* security packages instead of .htaccess passwords. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"