Re: Is password good enough?

To: "Robert S. Muhlestein" <robertm@teleport.com>
Subject: Re: Is password good enough?
From: Jacob Rose <jacob@hummingbird.whiteshell.com>
Date: Thu, 4 Apr 1996 15:24:12 -0500 (EST)
Cc: Mariam Jazayeri <jazayeri@hpcc117.corp.hp.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.92.960403164449.25342o-100000@zoe.teleport.com>

> Of course, if you have many users with shell access .htaccess isn't
> acceptable for the simple fact that users can look at the .htpasswd file
> for the legal usernames.  Hence the "rule" never use UNIX system account
> usernames and passwords for ".htaccess"-type authentication.

Well, you can deny your shell users access to the .htpasswd file; just 
run your http server with its own group or user id and limit reads and, 
of course, writes to the .htpasswd file to that user or group id.  It's 
not really a problem, is it?

                                   w h e r e
                                    w i l l
                                      W E
                                      b e
                                   ,-.i n
                                   ` / ----
                                   ,' ()()1  ?
                                   ~~~ ----

References:

Re: Is password good enough?

From: "Robert S. Muhlestein" <robertm@teleport.com>

Previous: Re: Is password good enough?
Next: URGENT: denial of service
Index(es):
- Index
- Thread