Re: [vox-tech] htaccess and encrypted passwords
On Wed, 16 Mar 2005, Peter Jay Salzman wrote: [snip] AuthType Basic [snip] I've read that it's possible to make this more secure than sending a password uuencoded over the net. I've seen references to md5 protecting the password, but the documents I read said that no browser supports this. Is this true? It's true. Or at least I tried it and I couldn't get it to work so I gave up on it. Any other way to make this reasonably more secure? HTTPS/SSL is the way to go, of course. Problem is you gotta pay to get an authority to sign your server's keys otherwise the visitor gets unverifiable key messages. It's not a problem if your visitors know what they're doing. Here's another method: Some people use Javascript/PHP solution. They create a website with a login screen, and upon clicking submit a javascript code encrypts the password and sends that data along with the username to the server, where a PHP/ASP/CGI code checks the encrypted password. You can probably find a cookie-cutter Javascript code for this on the web somewhere. Future sessions need to be kept track of in this case, though, otherwise you gotta keep logging in everytime you want a protected resource (and you gotta code the server to keep asking for the username password.) Even if you implement all that, you can't stop there since all that does is protect your cleartext password, not the server -- otherwise someone who can see the transaction can login to the account using the encrypted password (it doesn't matter if they can't see the actual password as long as they know what string to send to the server.) To protect the server and the user's account, the server should send a challenge to the client, and the client should respond with an appropriate key, to link the recipient to the server[1]. Here's one way: 1. The server generates a login webpage. The login page is uniquely stamped with two Javascript variables called key and value, a key-value pair that the server also keeps track of. 2. The user types in username and password on the webpage and clicks submit. 3. The Javascript code reads the password, concatenates with the value from #1, and MD5s it. The JS code sends the username, the MD5 password+value, and the key to the server. 4. The server reads the key, finds the corresponding value in its database. The server also reads the username, and finds the corresponding password in its database. It concatenates the two and MD5s it, and compares the result with the MD5 sent from the client. 5. If the two MD5s match, login the user and keep track of the client's session. Otherwise reject the login request. This is still not secure since the server is vulnerable from anyone trying to access the website using the client's session ID. To prevent that, you need HTTPS/SSL or some sort of constantly secure connection, not just a connection that verifies and protects the login process. (If you really really want to, you could probably use Javascript/PHP combination to keep the entire session encrypted, but it's not a very fun thing to do.) -Mark [1] It's interesting to note that Leslie Lamport of the LaTeX fame came up with the concept of Challenge-Response in security context. The example I give here is different from Leslie Lamport's original idea, though. -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] htaccess and encrypted passwords
On Tuesday 15 March 2005 10:56 pm, p-at-dirac.org (Peter Jay Salzman) |lugod| I've read that it's possible to make this more secure than sending a password uuencoded over the net. I've seen references to md5 protecting the password, but the documents I read said that no browser supports this. Is this true? It is supported by most browsers. Note: Digest authentication is more secure than Basic authentication, but only works with supporting browsers. As of September 2004, major browsers that support digest authentication include Amaya, Konqueror, MS Internet Explorer for Mac OS X and Windows (although the Windows version fails when used with a query string -- see Working with MS Internet Explorer below for a workaround), Mozilla, Netscape 7, Opera, and Safari. lynx does not support digest authentication. Since digest authentication is not as widely implemented as basic authentication, you should use it only in environments where all users will have supporting browsers. http://httpd.apache.org/docs/mod/mod_auth_digest.html -- Ryan Castellucci - http://ryanc.org/ GPG Key: http://ryanc.org/files/publickey.asc ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
[vox-tech] Exporting displays
Hi, I'm trying to login into a remote host and have the host export the screen display back to my machine With export DISPLAY=:0.0 will result in the executing program using the remote host display. Trying export DISPLAY=my_ip_address:0.0 returns something like Xlib: client is not authorized to connect to server which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? Thanks John W. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
[vox-tech] binary equivalence of two directories
What's the quick and dirty way of using md5sum or sha1sum to check the equivalence of the files residing in two directories? I suppose I can whip up a Perl script to traverse the directories, but I'm wondering if there's a short one liner (or perhaps an already written utility) to do this. Thanks, Pete -- Save Star Trek Enterprise from extinction: http://www.saveenterprise.com GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] binary equivalence of two directories
On Wednesday 16 March 2005 10:26 pm, Peter Jay Salzman wrote: What's the quick and dirty way of using md5sum or sha1sum to check the equivalence of the files residing in two directories? I suppose I can whip up a Perl script to traverse the directories, but I'm wondering if there's a short one liner (or perhaps an already written utility) to do this. How about: $ diff -r dir1 dir2 -- Rod ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine [snip] export DISPLAY=my_ip_address:0.0 returns something like Xlib: client is not authorized to connect to server which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? [snip] That'll work except your local computer isn't letting the connection through for security reasons. On your *local* computer, type this: $xhost + *but* this will work only if your local computer is connected directly to the Internet. The better way is to use ssh with the -X option to connect to the remote computer in the first place. Not only does ssh setup the X forwarding for you automatically (not need to do export blah blah or xhost blah blah or be concerned about not being connected directly to the Internet), but your connection will be secure. But this works only if the remote computer has a ssh server with X forwarding enabled, which it is by default on most systems I've seen. The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. -Mark -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
Mark K. Kim wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine The better way is to use ssh with the -X option to connect to the remote computer in the first place. [snip] The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. I've found the -C option to speed things up when forwarding X stuff with -X. It was quite noticeable with xpdf, for example. -Bryan -- Bryan Richter UCDTT President UC Davis Undergrad, Physics Dept. - A PGP signature is (probably) attached to this email. PGP Key ID: BB8E6CCC signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Wed, 16 Mar 2005, Bryan Richter wrote: Mark K. Kim wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine The better way is to use ssh with the -X option to connect to the remote computer in the first place. [snip] The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. I've found the -C option to speed things up when forwarding X stuff with -X. It was quite noticeable with xpdf, for example. Nice~! -Mark -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
