HPE Community
Operating System - HP-UX
1758798 Members
3185 Online
108875 Solutions
New Discussion юеВ

use of Unix crypt command in conjunction with web page login

 
David Fosgate_2
Occasional Advisor

тАО12-13-2000 09:02 AM

тАО12-13-2000 09:02 AM

use of Unix crypt command in conjunction with web page login

We are implementing a front-end to allow access to our application through the web. Our front-end is perl script accepting login information for access to our application. The crypt command appears to fairly safe other than the limitations stated in the man page. Are there better options for encrypting our login data with a web front-end?

Regards,

Dave
0 Kudos
Reply
4 REPLIES 4
Neal Krawetz
New Member

тАО12-14-2000 07:45 AM

тАО12-14-2000 07:45 AM

Re: use of Unix crypt command in conjunction with web page login

Hi,

I'd have a couble of other concerns:
1. By default, the web uses HTTP. This transmits in plain text. If the crypt key is transmitted to or from the web server, then this method is inherently insecure. (Anyone sniffing the network will see the key in plain text.)
An alternative is to use HTTPS: This uses HTTP on top of SSL -- it's encrypted (usually) and offers more security. (Hey, if it's good enough for banks... :-)

2. A big problem with `crypt` is that the key is specified on the command-line. Anyone on the system running "ps -ef" will see the crypt program and the command-line key. Again, inherently insecure. But, this is a local exploit, not a remote network risk.
An alternative: Download ufc (ultra fast crypt) or the source for crypt and compile it yourself. Be sure to modify the code to accept the key as the first line of input.

3. Another risk (in general) comes from the ability for a cgi script to execute code specified by a remote user/browser. If the key is specified by the remote user (aka, enter login), be sure to quote the value. Otherwise, I can enter a key like "password ; echo '\n+ +\n' > ~/.rhosts".
What's that? When you call crypt with my input, the command-line call will first run crypt and then add "+ +" to the web server's .rhosts. Now I can login as the web server user (usually root or httpd) without a password.

If you're just looking to encrypt the data being passed, I'd recommend using HTTPS instead.

If you're just looking for a login password, try using .htaccess or .nsconfig to specify a password file. (Don't specify /etc/passwd!)

If you're really paranoid, do both.
If you can't say something nice, say what you're thinking nicely.
0 Kudos
Reply
Michael Koslosky
Occasional Contributor

тАО01-19-2001 07:47 AM

тАО01-19-2001 07:47 AM

Re: use of Unix crypt command in conjunction with web page login

This is not so much a reply as a question
for Neil who states:
An alternative is to use HTTPS: This uses HTTP on top of SSL -- it's encrypted (usually) and offers more security. (Hey, if it's good enough for banks... :-)

Q: OK, how do you get SSL ( or even HTTPS )
for HPUX 11.x ?

Just wondering if you'd elaborate please.
0 Kudos
Reply
Jeromy Gregg
Advisor

тАО01-06-2004 06:35 AM

тАО01-06-2004 06:35 AM

Re: use of Unix crypt command in conjunction with web page login

To answer Michael's question...
The Enterprise ($$) version of iPlanet has encryption (SSL/HTTPS) built in. Apache utilizes SSL (http://httpd.apache.org/docs-2.1/en/ssl/ssl_faq.html). Open SSL is also available for multiple OS Platforms (http://www.openssl.org/).
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-06-2004 06:41 AM

тАО01-06-2004 06:41 AM

Re: use of Unix crypt command in conjunction with web page login

The apache web server that comes with HP-UX is SSL and https enabled. Right out of the box.

Full functionality is built into the HP web suite:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW101001

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.