---------- Forwarded message ----------
From: Archie Cobbs <archie@tribe.com>
Subject: Re: feature request (fwd)
To: brian@organic.com (Brian Behlendorf)
Date: Wed, 9 Aug 1995 13:18:17 -0700 (PDT)
Cc: new-httpd@hyperreal.com, archie@tribe.tribe.com
> On Wed, 9 Aug 1995, Florent Guillaume wrote:
> > > Since both Apache/htpasswd and login(1) use the same function to
> > > encrypt passwords, you'd think that you could just say:
> > >
> > > AuthUserFile /etc/passwd
> >
> > It is evil to use the system passwords for the WWW, because
> > these passwords are sent in clear to whoever asks them.
I agree with that general sentiment, but the encoding of the password across
the net is really an orthogonal issue. For example, suppose SSL was
implemented between client & server... I'd still have the same complaint.
> I'd use the term "unwise", but yeah, I agree that it shouldn't be
> suggested or necessarily enabled in our setup. MD5 authentication is
> going to require storing something other than the crypted password
> anyways.
That's true (and too bad for me). By the way, any projections as to
when this MD5 password encoding gets implemented?
-Archie
From: Archie Cobbs <archie@tribe.com>
Subject: Re: feature request (fwd)
To: brian@organic.com (Brian Behlendorf)
Date: Wed, 9 Aug 1995 13:18:17 -0700 (PDT)
Cc: new-httpd@hyperreal.com, archie@tribe.tribe.com
> On Wed, 9 Aug 1995, Florent Guillaume wrote:
> > > Since both Apache/htpasswd and login(1) use the same function to
> > > encrypt passwords, you'd think that you could just say:
> > >
> > > AuthUserFile /etc/passwd
> >
> > It is evil to use the system passwords for the WWW, because
> > these passwords are sent in clear to whoever asks them.
I agree with that general sentiment, but the encoding of the password across
the net is really an orthogonal issue. For example, suppose SSL was
implemented between client & server... I'd still have the same complaint.
> I'd use the term "unwise", but yeah, I agree that it shouldn't be
> suggested or necessarily enabled in our setup. MD5 authentication is
> going to require storing something other than the crypted password
> anyways.
That's true (and too bad for me). By the way, any projections as to
when this MD5 password encoding gets implemented?
-Archie