[lug] htpasswd security

Timothy C. Klein teece at silverklein.net
Wed Mar 5 01:13:45 MST 2003 

* Nick Golder (purenrg at hiveportal.net) wrote:
> On 03-03-04 21:11 -0700, the infamous Timothy C. Klein uttered:
> > Hey all,
> > 
> > I run a web server (apache) on my home machine over DSL. I recently
> > realized it would be *very* convenient to allow access to certain stuff
> > at home over HTTP, as that is the only universal file transfer program
> > I find on campus. So I put some of the stuff there, and set up an
> > .htpasswd file in my home directory (above web root), and an .htaccess
> > file in the protected directory. Both files have a file mode of 0644. I
> > now have password access to the pages.
> > 
> > How secure is this method of access?  If I had ssh and a Unix machine at
> > school, I would much rather use ssh, but as it stands it is damn
> > inconvenient.  So this method is quite nice.  So nice, that I am
> > pondering this:  rather than go through the trouble of periodically
> > updating which files I put in ~/public_html, I may just symlink to the
> > directories where I keep work.
> > 
> > Will this leave my wide open in some non-obvious way?  I am no web guru.
> Adding SSL support to your web server is a quick and easy way to tighten
> up your web server (but by no means the only way).  Passwords for
> .htaccess (actually all passwords on non-https servers) are passed as
> clear text (yes, with the exception of IIS/Exploiter challenge response
> authentication).

Hah, quick and easy my left foot!  Well, joking aside, don't I have to
buy a certificate to do this?  I can sign my own, but isn't that about
useless?  Aside from that, I can't seem to get mod_ssl working as a
module in Debian.  Maybe I will try the other version in unstable (with
mod_ssl linked in), but I am not sure if it is worth the time I am
having to invest.

> So, go SSL and don't look back.  However, if you also use your box to do
> public content hosting, you may want to look into virtual hosting with
> SSL support.  That way you could have www.yourdomain.com hosting all the
> public goods and tim.yourdomain.com hosting JUST your content with SSL
> keeping the two very seperate.

Nah, this machine has only my stuff on it.  A vanity web page that gets
hits from me, as it has ssh java app from mindterm.  

Thanks,

Tim
--
==============================================
==  Timothy Klein || teece at silverklein.net  ==
==  http://i148.denver.dsl.forethought.net  ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================

More information about the LUG mailing list