From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from felloff.net ([216.126.196.34]) by ur; Mon Dec 14 07:49:51 EST 2015
Message-ID: <29bcf883eaa9995dfaee340354ba288d@felloff.net>
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: core SOAP general-purpose-oriented configuration content-driven callback-scale optimizer
Subject: auth/httpauth and /sys/lib/httppasswords
Date: Mon, 14 Dec 2015 13:49:39 +0100
From: cinap_lenrek@felloff.net
To: 9front@9front.org
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

I'm going to remove /sys/lib/httppasswords functionality from
the authentication server with the coming dp9ik/AuthPAK changes,
and change auth/httpauth to use plain auth_userpasswd() which in
turn uses proto=p9cr to authenticate the user with its Infero/POP
secret. I think there is no reason for the httppasswords file, as
you can as well put these users in your keydb or netkeydb, and not
add them to the fileservers user database so they wont be able
to cpu in or mount the fs.

Alternatively, you could just assign a secret plan9 password that
the webshit user doesnt know (the Inferno/POP secret is independent
of the plan9 password).

The reason for the removal is that the AuthHttp authserver message
doesnt translate into the new dp9ik/AuthPAK scheme so it is subject
to the very attacks we try to fix. Also, having passwords in the clear
is not a good idea.

If anyone still uses /sys/lib/httppasswords, let me know.

--
cinap