[lug] htpasswd security

Nate Duehr nate at natetech.com
Wed Mar 5 01:50:29 MST 2003


Install the apache-ssl Debian package, if you want the "quick" way to set up
an SSL-enabled webserver on Debian.

It will install a completely separate apache that will have separate
directories for configuration, etc... so it won't hurt any of your existing
configuration.

The post-install script will also help you create a fake SSL key (non-signed
by a CA) that you can use ... your browser will whine a bit about it, but it
works fine for what you're setting up.

Nate Duehr, nate at natetech.com

----- Original Message -----
From: "Timothy C. Klein" <teece at silverklein.net>
To: <lug at lug.boulder.co.us>
Sent: Wednesday, March 05, 2003 1:13 AM
Subject: Re: [lug] htpasswd security


> * Nick Golder (purenrg at hiveportal.net) wrote:
> > On 03-03-04 21:11 -0700, the infamous Timothy C. Klein uttered:
> > > Hey all,
> > >
> > > I run a web server (apache) on my home machine over DSL. I recently
> > > realized it would be *very* convenient to allow access to certain
stuff
> > > at home over HTTP, as that is the only universal file transfer program
> > > I find on campus. So I put some of the stuff there, and set up an
> > > .htpasswd file in my home directory (above web root), and an .htaccess
> > > file in the protected directory. Both files have a file mode of 0644.
I
> > > now have password access to the pages.
> > >
> > > How secure is this method of access?  If I had ssh and a Unix machine
at
> > > school, I would much rather use ssh, but as it stands it is damn
> > > inconvenient.  So this method is quite nice.  So nice, that I am
> > > pondering this:  rather than go through the trouble of periodically
> > > updating which files I put in ~/public_html, I may just symlink to the
> > > directories where I keep work.
> > >
> > > Will this leave my wide open in some non-obvious way?  I am no web
guru.
> > Adding SSL support to your web server is a quick and easy way to tighten
> > up your web server (but by no means the only way).  Passwords for
> > .htaccess (actually all passwords on non-https servers) are passed as
> > clear text (yes, with the exception of IIS/Exploiter challenge response
> > authentication).
>
> Hah, quick and easy my left foot!  Well, joking aside, don't I have to
> buy a certificate to do this?  I can sign my own, but isn't that about
> useless?  Aside from that, I can't seem to get mod_ssl working as a
> module in Debian.  Maybe I will try the other version in unstable (with
> mod_ssl linked in), but I am not sure if it is worth the time I am
> having to invest.
>
> > So, go SSL and don't look back.  However, if you also use your box to do
> > public content hosting, you may want to look into virtual hosting with
> > SSL support.  That way you could have www.yourdomain.com hosting all the
> > public goods and tim.yourdomain.com hosting JUST your content with SSL
> > keeping the two very seperate.
>
> Nah, this machine has only my stuff on it.  A vanity web page that gets
> hits from me, as it has ssh java app from mindterm.
>
> Thanks,
>
> Tim
> --
> ==============================================
> ==  Timothy Klein || teece at silverklein.net  ==
> ==  http://i148.denver.dsl.forethought.net  ==
> == ---------------------------------------- ==
> == "Hello, World" 17 Errors, 31 Warnings... ==
> ==============================================
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>





More information about the LUG mailing list