Here is a good site that has javascript with good samples and
information on MD5 (which is the encryption method that shttpd uses).
So if you generated your own logon form that sent a password, but didn't
display the the password field, then you could still do the right thing
and implement something reasonably secure without them entering a
password.
Instead of my previous suggestion, hardcoding a password, make the
password a function of the username. Code that function in C and make
it part of the shttpd logic. Simple example, if username is "Abc123",
password would be "aBC987". You won't be able to use the built-in
logon screen on the browsers,
http://pajhome.org.uk/crypt/md5/auth.html
O'reilly has a book out too that has code samples, but I just skimmed
over it at a bookstore one time. Here is link which lets you browse
index and some random chapters.
It lists other techniques you may be able to use which won't require
modifying shttpd. You'll still have to have a custom login screen, but
the chapter titles indicate it gives you sample code.
You also mention port 443s in ports, i.e, SSL. So if you can eliminate
SSL as one of the constraints, then you have a great deal of
flexibility.
http://www.amazon.com/exec/obidos/ASIN/0596003943/ref=nosim/rfc-archive-
20
From: Rudi Farkas [mailto:[EMAIL PROTECTED]
Sent: Sunday, October 05, 2008 9:35 AM
To: David Lethe
Cc: [email protected]
Subject: Re: [shttpd-general] shttpd : can we have an empty password ?
Hi David
Thank you for the suggestions.
I can also imagine other possibilities along similar lines, like
removing the file-specific password file when the user changes setting
to empty password, or removing the registration of the password file.
You seem to confirm implicitly that empty password is not a useable
option when using a password file. It seems that the mismatch between
what a browser sends back and what is in the password file, when both of
these correspond to the empty password, is intentional. I would be
curios to know whether this is defined in some standard, and how is it
implemented.
Best regards
Rudi Farkas
On Sun, Oct 5, 2008 at 12:38 AM, David Lethe <[EMAIL PROTECTED]> wrote:
From: Rudi Farkas [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2008 2:27 PM
To: [email protected]
Subject: [shttpd-general] shttpd : can we have an empty password ?
I have the requirement to 'protect' a specific file served by shttpd
with an empty password.
Leaving aside the question whether the requirement is reasonable, is it
possible to implement it using a password entry in a shttpd password
file ?
I tried to do this, but shttpd refuses the user response when the
password file specifies an empty password and browser user supplies an
empty password.
Is this fundamentally impossible, or am I doing something wrong ?
Here is my experiment that illustrates the problem :
1- install shttpd-1.42 on WinXP from the installer, to the default
directory C:\shttpd-1.42
2- modify the file shttpd.conf thus (keeps all files in the same
directory) :
# SHTTPD web server configuration file.
# Lines starting with '#' and empty lines are ignored.
# For detailed description, visit
http://shttpd.sourceforge.net/shttpd.1.txt
root .
ports 80,443s
systray yes
access_log .\shttpd_access_log.txt
error_log .\shttpd_error_log.txt
auth_realm mydomain.com
protect /full.html=.pwdfull,/empty.html=.pwdempty
3- create 3 simple html files
\shttpd-1.42\empty.html
\shttpd-1.42\full.html
\shttpd-1.42\index.html
4- create 2 password files
C:\shttpd-1.42>shttpd -A .pwdempty mydomain.com me ""
C:\shttpd-1.42>shttpd -A .pwdfull mydomain.com me full
5- launch server
C:\shttpd-1.42>shttpd
Loading config file shttpd.conf
6- open a bowser (IE7 or FF3 in my case) and navigate to
http://localhost
Browser opens index.html - OK
7- navigate to http://localhost/full.html
Browser asks for credentials - respond with "me" and "full"
shttpd accepts the response and browser opens full.html - OK
8- navigate to http://localhost/empty.html
Browser asks for credentials - respond with "me" and blank - type
nothing in password field, press OK
shttpd refuses the response and browser asks again for credentials ...
This is where I am stuck - is there anything I can do so that shttpd
would accept the response ?
Attached is a zip file with all test files mentioned in the experiment.
Any clarifications or ideas would be appreaciated.
Rudi
------------------------------------------------------------------------
--------------------------
Modify shttpd.c source code. When user enters empty password, code it
as if they used a password of "StupidMoronRequest". When you write to
the .htpasswd file, leave the password column empty. Then when the
logic to authenticate a username/password pair, assume they entered that
password. You'll have to create a custom login form that sends a
non-blank password on, but accepts a blank password field. (or if they
don't want to ever see a password field, then modify the HTML/Javascript
for the logon form to sneakily send "StupidMoronRequest" as the
password.
Does the spec state that the password column in .htpasswd file needs to
be empty, or just that the user must not be required to fill out a
password field in the logon? In any event, above technique will work.
It will be less work for you if you can just hardcode the MD5
equivalent of "StupidMoronRequest" in the authorization logic.
David
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
