Re: [hackers] [quark] Thoughts on CGI and authentication?

From: Laslo Hunhold <dev_AT_frign.de>
Date: Fri, 23 Oct 2020 23:22:41 +0200

On Fri, 23 Oct 2020 17:10:37 +0200
José Miguel Sánchez García <soy.jmi2k_AT_gmail.com> wrote:

Dear José,

> That was the whole reasoning behind supporting digest authentication.
> Sure, TLS protects the connection from third parties messing around
> with your connection, but nothing prevents an evil/misconfigured
> server from stealing your cleartext password. At least with digest
> authentication, you know that the server is not seeing your password
> either (at least you would if the login UI for HTTP auth were barely
> usable and told you info about the security mechanism being used...
> I'm getting off track sorry).

I see what you mean. Still, when you go via TLS, it makes sure that the
authenticity of the server is assured as well.

> > Keeping with the spirit of the current set of command line arguments
> > (e.g. -m for maps, of which you can specify as many as you want),
> > one could have a flag -p (protect/password/whatever) that takes a
> > group name and a cleartext password and applies it to all files
> > matching that group in the serving folder, for example '-m "nogroup
> > user:pw"' for example.
>
> I like that: simple and intuitive. Will do that, thanks!

You might also go with "group user pw", which saves us one more
"token"-format.

> I hope it ends up being a drop-in solution, looking at the code it
> seems like it will. We'll know when it's done ;)

It most probably will be.

With best regards

Laslo
Received on Fri Oct 23 2020 - 23:22:41 CEST