home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 35 Internet
/
35-Internet.zip
/
srev13h.zip
/
USERS.DOC
< prev
next >
Wrap
Text File
|
2000-04-14
|
4KB
|
105 lines
15 June 1999. SRE-http username/password file
I. Introduction
I.a The usernames and passwords file (USERS.IN)
I.b Examples
I.c Advanced options: Dynamic passwords
----------------------------------
I. Introduction
The SRE-http USERS.IN file is used to register users. Each entry in
USERS.IN contains a username, a password, and an optional list of
client privileges.
----------------------------------
I.a) The usernames and passwords file (USERS.IN)
Each entry in the the USER_FILE (with default name USERS.IN) contains an
optional host nickname, a username, password, and privilege information. It is
used in two cases:
1. When logon is required of a client.
2. When information on privileges is needed.
The structure of the USER_FILE is:
HOST_NICKNAME// NAME PASSWORD PRIV1 PRIV2 ?PRIV_SECRET ...
where
HOST_NICKNAME// is the (optional) host to which this entry applies
NAME is the case insensitive username
PASSWORD is the password, which might be case sensitive
PRIV1 ... is an optional list of privileges.
Note: if a HOST_NICKNAME// is NOT specified, then an entry is valid
for ALL hosts. In other words, when processing USERS.IN "superceding" and
"strict-superceding" hosts are treated as if they were "non-superceding"
hosts.
----------------------------------
I.b) Examples
DANIEL A11S34WZ SUPERUSER
MIKE IOWAMAN CONSULTANT
JILL GOBOTS INHOUSE
JOHN KIOWA INHOUSE VENUS ?JUP1241
FLOWERS// CHARLES BROWN PRICELIST
ANONYMOUS * PUBLIC
In the above example:
@ DANIEL is given SUPERUSER privileges. This could be useful if DANIEL
needs to reset the server from an out-of-town site ... but it could be
dangerous (so use an obscure password)!
@ JILL and JOHN are IN-HOUSE users. Thus, if CHECKLOG=INHOUSE, then DANIEL,
JILL, and JOHN are allowed in, but MIKE is NOT allowed in (MIKE is allowed
in, given correct entry of his username and password, if CHECKLOG does not
equal INHOUSE).
@ JOHN is given VENUS privileges (as well as INHOUSE privileges). He is also
given a JUP1241 SECRET PRIVILEGE (which could be used as a second level
"password" in a security conscious addon -- see DYNPWD.DOC for details).
@ CHARLES has logon rights on the host with HOST NICKNAME of FLOWERS (but not
on any other host).
@ ANONYMOUS is given PUBLIC privileges, and can use any password (and
is valid across all hosts).
Note that * means "anything matches", and can be used in either the password
or username fields.
Note that all the passwords, in the above examples, are in upper case.
For basic authentication, this does not matter -- the client's authentication
information is converted to upper case. However, for digest authentication
case may matter -- SRE-http checks some, but not all, case permutations of the
password (entered by the user).
----------------------------------
I.c) Advanced options: Dynamic passwords
One of the problems of BASIC AUTHENTICATION (the method supported by most
http/1.0 clients) is that passwords can be easily decoded by a
"man-in-the-middle". Digest authentication, supported by SRE-http and http/1.1
browsers, largely solves this problem (by encoding passwords using advanced
cryptographic techniques). However, until the time that everyone uses http/1.1
browsers, there is a need for some intermediate technique.
SRE-http provides such a mechanism based on the client and the SRE-http server
sharing an encoding mechanism. This requires complementary procedures: one that
SRE-http can use to decode a password, and the other for a clent to encode one
(i,e.; a program she can run before filling in a password field on the browsers
authenticaton screen).
For details on this capability, see DYNPWDS.DOC.