- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- use of Unix crypt command in conjunction with web ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-13-2000 09:02 AM
тАО12-13-2000 09:02 AM
use of Unix crypt command in conjunction with web page login
Regards,
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2000 07:45 AM
тАО12-14-2000 07:45 AM
Re: use of Unix crypt command in conjunction with web page login
I'd have a couble of other concerns:
1. By default, the web uses HTTP. This transmits in plain text. If the crypt key is transmitted to or from the web server, then this method is inherently insecure. (Anyone sniffing the network will see the key in plain text.)
An alternative is to use HTTPS: This uses HTTP on top of SSL -- it's encrypted (usually) and offers more security. (Hey, if it's good enough for banks... :-)
2. A big problem with `crypt` is that the key is specified on the command-line. Anyone on the system running "ps -ef" will see the crypt program and the command-line key. Again, inherently insecure. But, this is a local exploit, not a remote network risk.
An alternative: Download ufc (ultra fast crypt) or the source for crypt and compile it yourself. Be sure to modify the code to accept the key as the first line of input.
3. Another risk (in general) comes from the ability for a cgi script to execute code specified by a remote user/browser. If the key is specified by the remote user (aka, enter login), be sure to quote the value. Otherwise, I can enter a key like "password ; echo '\n+ +\n' > ~/.rhosts".
What's that? When you call crypt with my input, the command-line call will first run crypt and then add "+ +" to the web server's .rhosts. Now I can login as the web server user (usually root or httpd) without a password.
If you're just looking to encrypt the data being passed, I'd recommend using HTTPS instead.
If you're just looking for a login password, try using .htaccess or .nsconfig to specify a password file. (Don't specify /etc/passwd!)
If you're really paranoid, do both.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-19-2001 07:47 AM
тАО01-19-2001 07:47 AM
Re: use of Unix crypt command in conjunction with web page login
for Neil who states:
An alternative is to use HTTPS: This uses HTTP on top of SSL -- it's encrypted (usually) and offers more security. (Hey, if it's good enough for banks... :-)
Q: OK, how do you get SSL ( or even HTTPS )
for HPUX 11.x ?
Just wondering if you'd elaborate please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-06-2004 06:35 AM
тАО01-06-2004 06:35 AM
Re: use of Unix crypt command in conjunction with web page login
The Enterprise ($$) version of iPlanet has encryption (SSL/HTTPS) built in. Apache utilizes SSL (http://httpd.apache.org/docs-2.1/en/ssl/ssl_faq.html). Open SSL is also available for multiple OS Platforms (http://www.openssl.org/).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-06-2004 06:41 AM
тАО01-06-2004 06:41 AM
Re: use of Unix crypt command in conjunction with web page login
Full functionality is built into the HP web suite:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW101001
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com