Re: CGI/1.0: last call

jern@spaceaix.jhuapl.edu

Mail folder: WWW Talk Oct 93-present
Next message: Dave_Raggett: "Re: International Document Server Support "
Previous message: ts: "CGI/1.0: last call"
In-reply-to: Rob McCool: "Re: CGI/1.0: last call"

From: jern@spaceaix.jhuapl.edu
Message-id: <9312061356.AA18393@sdrmis.jhuapl.edu>
Subject: Re: CGI/1.0: last call
To: robm@ncsa.uiuc.edu (Rob McCool)
Date: Mon, 6 Dec 1993 08:56:01 -0500 (EST)
Cc: www-talk@nxoc01.cern.ch
In-reply-to: <9312052308.AA17863@void.ncsa.uiuc.edu> from "Rob McCool" at Dec 5, 93 05:08:05 pm
X-Mailer: ELM [version 2.4 PL21]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 2294

Rob writes:
> 
> /*
>  * Re: CGI/1.0: last call  by ts (decoux@moulon.inra.fr)
>  *    written on Dec  5,  1:40pm.
>  *
>  * > No.  Password should be kept inside the server for security reasons.
>  * > The environment variable REMOTE_USER is only defined if user has
>  * > successfully authenticated himself.  This should be enough.
>  * 
>  *  I *need* a password to open an Oracle database,  I don't want to write
>  * a cracker to retrieve it from password file.
>  * 
>  *  username:password can be send in stdin.
>  */
> 
> The problem is that the username:password style doesn't work with future PEM
> and Kerberos based authentication schemes. 
> 
> I don't know if I agree with Ari's security objection, but making the
> unencrypted passwords places a large amount of trust between script writers
> and system administrators (not necessarily in your case, but in general when
> scripts are commonly available software). This is really the only reason I
> can see for not making the password available to the script. Have I missed
> something?
> 
> I would ask that you reconsider how you are planning to do this, perhaps you
> should maintain your own simple password file and grab the user's Oracle
> password from this file. This way, people do not have their Oracle passwords
> sent across the net, only their HTTP passwords, and in the future, only an
> encrypted request. The drawback is that you have to maintain two password
> files.
> 
> If this is completely unacceptable, or I have missed something, please let
> me know. I'll consider making the Authorization: line available to the
> script, but I am objected to it.
> --Rob
Authentication must be the responsibility of the script writer.  While
httpd provides a measure of security that security is not adequate for
the script writer.  Headers containing authentication information might
assist the script writer in selecting an authentication method but
abdicating the responsibility, i.e., relying on httpd to provide methods
for, say Oracle access, would be a mistake.  Passing username:password
over a network certainly does not constitute safe security practices.  If
security is a concern, as it should be in updating databases, the script
writer has methods other that the username:password anachronism.

--bobj