9front - general discussion about 9front
 help / color / mirror / Atom feed
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: auth/httpauth and /sys/lib/httppasswords
Date: Mon, 14 Dec 2015 13:49:39 +0100	[thread overview]
Message-ID: <29bcf883eaa9995dfaee340354ba288d@felloff.net> (raw)

I'm going to remove /sys/lib/httppasswords functionality from
the authentication server with the coming dp9ik/AuthPAK changes,
and change auth/httpauth to use plain auth_userpasswd() which in
turn uses proto=p9cr to authenticate the user with its Infero/POP
secret. I think there is no reason for the httppasswords file, as
you can as well put these users in your keydb or netkeydb, and not
add them to the fileservers user database so they wont be able
to cpu in or mount the fs.

Alternatively, you could just assign a secret plan9 password that
the webshit user doesnt know (the Inferno/POP secret is independent
of the plan9 password).

The reason for the removal is that the AuthHttp authserver message
doesnt translate into the new dp9ik/AuthPAK scheme so it is subject
to the very attacks we try to fix. Also, having passwords in the clear
is not a good idea.

If anyone still uses /sys/lib/httppasswords, let me know.

--
cinap


                 reply	other threads:[~2015-12-14 12:49 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=29bcf883eaa9995dfaee340354ba288d@felloff.net \
    --to=cinap_lenrek@felloff.net \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).