On 9/22/05, Timothy Chagnon <[EMAIL PROTECTED]> wrote: > Since apache2 or thereabouts, htpasswd entries can use MD5 hashes just > like the /etc/shadow file. And they're both colon delimited, so you > just need to take the first two columns from the shadow file.
To do this you need to use mod_auth_digest, but first read the caveats in the documentation: http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html It's still considered experimental, and as of the writing of the doc, not all browsers supported it, but the ones that don't are mostly little known ones like something called Internet Explorer <G>. You might also consider the security of http authentication passwords before deciding to make it a policy to share logon and http authentication passwords. RFC2617 describes the HTTP digest authorization protocol, and reading the security considerations section is enlightening. While the digest method does prevent passwords from being sent in the clear, it does little to strengthen defenses against well known attacks. AND Apache's mod_auth_digest only implements a watered down version of RFC2517 since it doesn't provide a way to use the limited-time nonce values specified in the RFC to salt the hashes used. http://ftp.ics.uci.edu/pub/ietf/http/rfc2617.txt So it looks to me that using user passwords for http authentication over the internet is more likely to expose those passwords. If you are going to do it, I'd recommend not running a telnet daemon (which you shouldn't be doing any) and if you are running an ssh daemon, to configure it to use pub key authentication and NOT to allow password authentication. -- Rick DeNatale Visit the Project Mercury Wiki Site http://www.mercuryspacecraft.com/ -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
