On Sat, Apr 15, 2000 at 07:19:25PM -0400, John wrote:
> Nevermind...I got it.... I used Brink..... I just have a Linux server set
> up, and I wanted a web interface to change passwords instead of having to
> telnet or go directly to the server...
"Wanted a web interface to change passwords".... Uh oh...
Uno momento pour favor...
Are you changing passwords using a "secure" web server (https) or
a plain web server (http). You do understand that what little hashing of
passwords takes place in plain old http is lame at best. You can't
conceivably consider and web traffic, pages or form submittals, secure
unless they are SSL encrypted. Anyone who can sniff the wire can sniff
the password changes if they are on http. They need to be done on an
SSL protected server. Apache-ssl or Apache with mod-ssl.
> ----- Original Message -----
> From: "Strider Centaur" ">strider@scifi-fantasy.com>
> To: "John" ">jcouncilman@knology.net>
> Cc: ">ale@ale.org>
> Sent: Saturday, April 15, 2000 7:47 AM
> Subject: Re: [ale] Question about passwords / CGI
> > Im not sure what password you want to change. Most ISPs do not give
> out
> > shell accounts and thus never change system passwords. So if it is
> system
> > passwords your talking about my first advice is don't do this. It will
> only end
> > in tears.
> >
> > If you are talking about a password in something like a radius data
> base or
> > for a .htaccess file for apache or other application. Then ayou need to
> know the
> > form of encryption they support and use the appropriate encryption
> command in
> > the CGI. There is no one answer for all cases because there are many
> encryption
> > schemes used. For example Mod_Auth_MySQL module for Apache can have
> MySQL
> > scrambled passwords ( created with the password() function in mysql ) or
> standard
> > DES password encryption using the crypt function in languages like C.
> > Fortunately there is a command line utility provided with Apache for
> handling
> > .htaccess user files( htpasswd ).
> >
> > So it is really all a matter of what you are trying to set a password
> for.
> >
> > John wrote:
> >
> > > I was wondering if anyone could help me with this..... Many ISPs have a
> > > web-based form that allows users to change their own password. I'm
> trying
> > > to implement this on a small server I have set up, and I was curious
> about
> > > the best way to do this.... I've seen so far three different ways to
> do
> > > it. What is the "standard" way of doing this?
> > >
> > > John
> > >
> > > --
> > > To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
> >
> > --
> > Strider Centaur
> > http://www.Scifi-Fantay.com
> >
> > " It is my observation that unless you really understand the issues,
> you are
> > hardly in a position to criticize. Nearly all Linux users have used
> Windows,
> > but very few Windows users have used Linux. " -- Me
> >
> >
> >
> >
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
--
Michael H. Warfield | (770) 985-6132 | ">mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.