* auth/httpauth and /sys/lib/httppasswords
@ 2015-12-14 12:49 cinap_lenrek
0 siblings, 0 replies; only message in thread
From: cinap_lenrek @ 2015-12-14 12:49 UTC (permalink / raw)
To: 9front
I'm going to remove /sys/lib/httppasswords functionality from
the authentication server with the coming dp9ik/AuthPAK changes,
and change auth/httpauth to use plain auth_userpasswd() which in
turn uses proto=p9cr to authenticate the user with its Infero/POP
secret. I think there is no reason for the httppasswords file, as
you can as well put these users in your keydb or netkeydb, and not
add them to the fileservers user database so they wont be able
to cpu in or mount the fs.
Alternatively, you could just assign a secret plan9 password that
the webshit user doesnt know (the Inferno/POP secret is independent
of the plan9 password).
The reason for the removal is that the AuthHttp authserver message
doesnt translate into the new dp9ik/AuthPAK scheme so it is subject
to the very attacks we try to fix. Also, having passwords in the clear
is not a good idea.
If anyone still uses /sys/lib/httppasswords, let me know.
--
cinap
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-12-14 12:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-14 12:49 auth/httpauth and /sys/lib/httppasswords cinap_lenrek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).