[lug] htpasswd security
Nick Golder
purenrg at hiveportal.net
Tue Mar 4 22:07:08 MST 2003
On 03-03-04 21:11 -0700, the infamous Timothy C. Klein uttered:
> Hey all,
>
> I run a web server (apache) on my home machine over DSL. I recently
> realized it would be *very* convenient to allow access to certain stuff
> at home over HTTP, as that is the only universal file transfer program
> I find on campus. So I put some of the stuff there, and set up an
> .htpasswd file in my home directory (above web root), and an .htaccess
> file in the protected directory. Both files have a file mode of 0644. I
> now have password access to the pages.
>
> How secure is this method of access? If I had ssh and a Unix machine at
> school, I would much rather use ssh, but as it stands it is damn
> inconvenient. So this method is quite nice. So nice, that I am
> pondering this: rather than go through the trouble of periodically
> updating which files I put in ~/public_html, I may just symlink to the
> directories where I keep work.
>
> Will this leave my wide open in some non-obvious way? I am no web guru.
>
> TIA,
> Tim
>
> PS -> There is nothing earth shattering on my machine, and currently
> all I am interested in hosting privately (as much as is possible) is
> homework, papers, and notes and such. Not really majorly sensitive, but
> still private. The machine also runs a firewall, tripwire, etc. (with
> the web port open, obviously.)
>
Adding SSL support to your web server is a quick and easy way to tighten
up your web server (but by no means the only way). Passwords for
.htaccess (actually all passwords on non-https servers) are passed as
clear text (yes, with the exception of IIS/Exploiter challenge response
authentication).
So, go SSL and don't look back. However, if you also use your box to do
public content hosting, you may want to look into virtual hosting with
SSL support. That way you could have www.yourdomain.com hosting all the
public goods and tim.yourdomain.com hosting JUST your content with SSL
keeping the two very seperate.
BTW- All this is with Apache in mind.
HTH
--
-Nick Golder
http://www.hiveportal.net
More information about the LUG
mailing list