.htaccess or OS related?
Mel
fbsd.questions at rachie.is-a-geek.net
Mon Jul 7 15:44:27 UTC 2008
On Monday 07 July 2008 14:46:47 Bill Moran wrote:
> In response to "Jos Chrispijn" <jos at webrz.net>:
> > Bill,
> >
> > > -----Original Message-----
>
> Keep the list in the loop on replies.
>
> > > The algorithm is part of Apache and has little or nothing to do with
> > > the OS on which it runs.
> >
> > I see, so .htpasswd is an Apache utility then; didn't know that.
> >
> > > And the encryption used to store passwords in .htaccess files is known
> > > to be weak. If you need something strong, look to one of the other
> > > mod_* security packages instead of .htaccess passwords.
> >
> > What other mod_* security package would you recommend?
>
> I won't _recommend_ anything. However, I will point out that there's a
> mod_ldap, mod_auth_kerb, and mod_auth_pam. There are probably others
> that I'm forgetting.
The encryption of htpasswd files is only a concern, when:
- the password databases themselves are downloadable
- you have a shared host and local users have access to your password
databases
Using one of the modules described above, won't solve anything (as you can
still store the passwords in md5 or even weaker hash) and will need support
from your hosting provider. Those modules are meant to centralize user
management, not to increase password encryption.
If you want to improve the hash with which password are stored, then use
the '-s' option to htpasswd(1), which will use SHA, rather then MD5. If you
want to protect your users more, then you should use mod_auth_digest, which
instructs the browser to hash it's password before sending it over the
internet.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
More information about the freebsd-questions
mailing list