Ricardo Núñez wrote:
Hi,
How could I avoid sending a cleartext password through the net when I use a http://....../manage? How and where should I configure what? I hope it'd be possible...
I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other things:
- Muuultiple apache virtual hosts - We have a few https sites. - Zope is recently installed, but we have decided to use it very seriously. - People upload their files with FTP... A big security hole. - With Zope we'd like to authenticate with a LDAP authentication server with passwords in the old crypt encryption.
OK, I already know that there are Zope products to do the "LDAP part", that's not an issue.
I notice that the "natural way" to manage Zope sites is through '.../manage' interface. I agree that it lets me use any computer all over the world and that's perfect for me, but.... I have doubt with sending cleartext passwords like FTP does.
Do you just want to give the _possibility_ to log in encrypted? That's easy, just do the encryption with apache. Maybe consider using mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another port, get the requests proxied from apache (and shield the zope port to the outside). To reliable prevent users from sending passwords unencrypted, you'd have to do a bit more, though. Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that). I have a product for that in mind, but it'll take a while before I've time to tackle that. cheers, oliver