'Re: [users@httpd] htpasswd security question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Re: [users@httpd] htpasswd security question
From:       "Jacob Coby" <jcoby () listingbook ! com>
Date:       2002-08-30 20:45:50
[Download RAW message or body]

> The name in the respective directory doesn't start with . it is plain
> htpasswd

I copied it from your original email :)

> If not, would it be an option to leave it as 777 and put and .htaccess
file
> into the directory which would just deny all outside users?

Well, as long as you don't allow apache to serve the directory where you
store the passwords, you don't have a problem with securing the passwords
against web-users.  The only problem with leaving it 777 is that shell users
have full access to it, and can change the passwords to whatever they want.
Unless you can trust everybody who uses that server, then I wouldn't leave
it 777.  If nothing else, change it to 644 (rw-r--r--) so that other users
cannot change it, only view it.  You don't need execute perms on a text file
:)

As long as you don't store your passwords in plaintext, viewing the contents
of a htpasswd won't give them anything other than usernames.  From that info
they can do a dictionary attack, but that's about it.  Getting usernames is
pretty easy even without access to your htpasswd, so its pretty much a moot
point.  They can check out the home dirs in /home, look at the aliases file
for the MTA, etc.  If you're just using AuthType Basic, they can sniff out
unames/passwds by simply watching tcp traffic.

What I'm saying (in a nutshell) is: make htpasswd impossible to retrieve
from the browser.  Deny .ht* to everybody.  chmod 644 htpasswd.  You should
be good to go from there.  If you need better security, you'll have to pick
a different mechanism than apache's AuthType Basic.

-Jacob
http://www.listingbook.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic