Re: CGI/1.0: last call
jern@spaceaix.jhuapl.edu
Mon, 6 Dec 1993 08:56:01 -0500 (EST)
Rob writes:
>
> /*
> * Re: CGI/1.0: last call by ts (decoux@moulon.inra.fr)
> * written on Dec 5, 1:40pm.
> *
> * > No. Password should be kept inside the server for security reasons.
> * > The environment variable REMOTE_USER is only defined if user has
> * > successfully authenticated himself. This should be enough.
> *
> * I *need* a password to open an Oracle database, I don't want to write
> * a cracker to retrieve it from password file.
> *
> * username:password can be send in stdin.
> */
>
> The problem is that the username:password style doesn't work with future PEM
> and Kerberos based authentication schemes.
>
> I don't know if I agree with Ari's security objection, but making the
> unencrypted passwords places a large amount of trust between script writers
> and system administrators (not necessarily in your case, but in general when
> scripts are commonly available software). This is really the only reason I
> can see for not making the password available to the script. Have I missed
> something?
>
> I would ask that you reconsider how you are planning to do this, perhaps you
> should maintain your own simple password file and grab the user's Oracle
> password from this file. This way, people do not have their Oracle passwords
> sent across the net, only their HTTP passwords, and in the future, only an
> encrypted request. The drawback is that you have to maintain two password
> files.
>
> If this is completely unacceptable, or I have missed something, please let
> me know. I'll consider making the Authorization: line available to the
> script, but I am objected to it.
> --Rob
Authentication must be the responsibility of the script writer. While
httpd provides a measure of security that security is not adequate for
the script writer. Headers containing authentication information might
assist the script writer in selecting an authentication method but
abdicating the responsibility, i.e., relying on httpd to provide methods
for, say Oracle access, would be a mistake. Passing username:password
over a network certainly does not constitute safe security practices. If
security is a concern, as it should be in updating databases, the script
writer has methods other that the username:password anachronism.
--bobj