CGI/1.0: last call (ts)
Date: Mon, 6 Dec 93 07:28:30 +0100
From: (ts)
Message-id: <>
In-reply-to: Rob McCool's message of Sun, 5 Dec 1993 17:08:05 -0600 <>
Subject: CGI/1.0: last call

> I don't know if I agree with Ari's security objection, but making the
> unencrypted passwords places a large amount of trust between script writers
> and system administrators (not necessarily in your case, but in general when
> scripts are commonly available software). This is really the only reason I
> can see for not making the password available to the script. Have I missed
> something?
> I would ask that you reconsider how you are planning to do this, perhaps you
> should maintain your own simple password file and grab the user's Oracle
> password from this file. This way, people do not have their Oracle passwords
> sent across the net, only their HTTP passwords, and in the future, only an
> encrypted request. The drawback is that you have to maintain two password
> files.

 I don't want the unencrypted password, I can write C (or perl) code to
decrypt an encrypted request. 

 My problem is to retrieve a password with only an username. I can maintain
two password files but I don't want to have on my server a file where
passwords are stored in plaintext.

 I'm paranoid ... Example, my file "/etc/passwd" is like this (C2) :

   AUpwdauthd:##AUpwdauthd:10:10:AUpwdauthd pseudo user::/bin/false
   AUyppasswdd:##AUyppasswdd:11:10:AUyppasswdd pseudo user::/bin/false


> If this is completely unacceptable, or I have missed something, please let
> me know. I'll consider making the Authorization: line available to the
> script, but I am objected to it.

 I'll try another solution ...


Guy Decoux