LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-11-2009, 09:57 AM   #1
your_shadow03
Senior Member
 
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,461
Blog Entries: 6

Rep: Reputation: 51
Authenticating the user through /etc/passwd for Apache?


I want all the users on your Unixish system to be able to authenticate themselves over the Web using their already-assigned usernames and passwords.

I tried setting up things and exploring the entry as:

<Directory "/home">
AuthType Basic
AuthName HomeDir
AuthUserFile /etc/passwd
Require valid-user
Satisfy All
</Directory>

Restarted the Apache but nothing worked when I tried browsing:
http://10.14.236.98/home

Am I missing anything?
 
Old 10-11-2009, 10:36 AM   #2
carltm
Member
 
Registered: Jan 2007
Location: Canton, MI
Distribution: CentOS, SuSE, Red Hat, Debian, etc.
Posts: 703

Rep: Reputation: 97
That won't work, because Basic authentication expects a certain format that isn't
in /etc/passwd.

Please carefully read this answer from the Apache FAQ.

Quote:
Can I use my /etc/passwd file for Web page authentication?

Yes, you can - but it's a very bad idea. Here are some of the reasons:

* The Web technology provides no governors on how often or how rapidly password (authentication failure) retries can be made. That means that someone can hammer away at your system's root password using the Web, using a dictionary or similar mass attack, just as fast as the wire and your server can handle the requests. Most operating systems these days include attack detection (such as n failed passwords for the same account within m seconds) and evasion (breaking the connection, disabling the account under attack, disabling all logins from that source, et cetera), but the Web does not.
* An account under attack isn't notified (unless the server is heavily modified); there's no "You have 19483 login failures" message when the legitimate owner logs in.
* Without an exhaustive and error-prone examination of the server logs, you can't tell whether an account has been compromised. Detecting that an attack has occurred, or is in progress, is fairly obvious, though - if you look at the logs.
* Web authentication passwords (at least for Basic authentication) generally fly across the wire, and through intermediate proxy systems, in what amounts to plain text. "O'er the net we go/Caching all the way;/O what fun it is to surf/Giving my password away!"
* Since HTTP is stateless, information about the authentication is transmitted each and every time a request is made to the server. Essentially, the client caches it after the first successful access, and transmits it without asking for all subsequent requests to the same server.
* It's relatively trivial for someone on your system to put up a page that will steal the cached password from a client's cache without them knowing. Can you say "password grabber"?

If you still want to do this in light of the above disadvantages, the method is left as an exercise for the reader. It'll void your Apache warranty, though, and you'll lose all accumulated UNIX guru points.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
authenticating apache yawe_frek Linux - Server 2 06-19-2008 04:29 PM
apache directory not authenticating drkstr Slackware 3 10-08-2006 05:03 AM
authenticating a linux user from a script? evank Linux - Security 2 02-02-2006 12:49 PM
ProFTPd. Authenticating using /etc/passwd instead of PAM wenberg Linux - Software 2 01-04-2004 11:14 AM
Authenticating users via apache!! RKris Linux - Software 1 02-17-2003 08:18 AM


All times are GMT -5. The time now is 10:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration