CERN httpd - Protection passwords and groups

Nigel Metheringham ([email protected])
Thu, 09 Jun 1994 12:33:04 +0100


The current protection scheme in the CERN httpd uses unix like passwd
and group files. These are sequentially read on each protected access
check - which could be a problem if you have large numbers of users in
these databases.

Like many sites, much of the stuff we might want to protect would be
protected at a relatively low level, and be available to large subsets
of our users. We use NIS for distributing authorisation info (bad
idea I know).

I'd like to be make a change to the httpd protection stuff to enable
other sources of authorisation info than flat files. The sort of
change I was wondering about was to change the spec for the passwd &
group files to allow this sort of spec:-

PasswordFile /some/flat/file # ie as present
PasswordFile //nis:nis_map_name # use NIS map nis_map_name
PasswordFile //dbm:/dbm/file/spec # DBM hashed password file
PasswordFile //netinfo:/net/in/spec # NeXT netinfo

[not sure about the netinfo - since it is richer than NIS it could
present more problems...] Group file specs would look similar.

The main advantages this would give is keyed lookups (saving in time
when accessing auth info), flexibility - you can keep info in (say)
NIS, and it doesn't *have* to be just in a NIS system passwd file.

As an extension to this, NIS netgroups could also be used to control
access - both for hosts and users. However this needs slightly more
serious mods to the appropriate areas of httpd.

[Pause while dons asbestos underware]
Any comments on this please....?

Nigel.

--
- Nigel Metheringham  --  EMail: [email protected] [email protected] -
- System Administrator, Electronics Dept, University of York, York YO1 5DD -
- Tel: +44 904 432374, Fax: +44 904 432335 | PGP key available from WWW    -
- WWW: http://www.amp.york.ac.uk/~nm4/     |                               -