Hi, How could I avoid sending a cleartext password through the net when I use a http://....../manage? How and where should I configure what? I hope it'd be possible... I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other things: - Muuultiple apache virtual hosts - We have a few https sites. - Zope is recently installed, but we have decided to use it very seriously. - People upload their files with FTP... A big security hole. - With Zope we'd like to authenticate with a LDAP authentication server with passwords in the old crypt encryption. OK, I already know that there are Zope products to do the "LDAP part", that's not an issue. I notice that the "natural way" to manage Zope sites is through '.../manage' interface. I agree that it lets me use any computer all over the world and that's perfect for me, but.... I have doubt with sending cleartext passwords like FTP does. Saludos, Ing. Ricardo Núñez Webmaster de la DST Universidad Simón Bolívar E-Mail: rinunez@usb.ve
Ricardo Núñez wrote:
Hi,
How could I avoid sending a cleartext password through the net when I use a http://....../manage? How and where should I configure what? I hope it'd be possible...
I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other things:
- Muuultiple apache virtual hosts - We have a few https sites. - Zope is recently installed, but we have decided to use it very seriously. - People upload their files with FTP... A big security hole. - With Zope we'd like to authenticate with a LDAP authentication server with passwords in the old crypt encryption.
OK, I already know that there are Zope products to do the "LDAP part", that's not an issue.
I notice that the "natural way" to manage Zope sites is through '.../manage' interface. I agree that it lets me use any computer all over the world and that's perfect for me, but.... I have doubt with sending cleartext passwords like FTP does.
Do you just want to give the _possibility_ to log in encrypted? That's easy, just do the encryption with apache. Maybe consider using mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another port, get the requests proxied from apache (and shield the zope port to the outside). To reliable prevent users from sending passwords unencrypted, you'd have to do a bit more, though. Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that). I have a product for that in mind, but it'll take a while before I've time to tackle that. cheers, oliver
Oliver Bleutgen wrote:
Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut it thanks to a) management interfaces that don't use manage anywhere in the name like ZCacheable_* b) type coercion done through POST requests which seems basically impossible to filter out using apache Zope will have to be patched or a new product will have to be written to enforce secure management. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
On Friday 06 June 2003 21:36, Jamie Heilman wrote:
Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut it thanks to a) management interfaces that don't use manage anywhere in the name like ZCacheable_* b) type coercion done through POST requests which seems basically impossible to filter out using apache
Zope will have to be patched or a new product will have to be written to enforce secure management.
There is also a possibility of filtering authentication field when HTTP request passes through reverse proxy. I think that Apache doesn't suport this, but using rewrite rule it is possible to return unauthorized or forbidden if request contains authentication header. This shouldn't be a problem (if this level of security is really required) since browsers shouldn't send this header anyway if they haven't received unauthorized response and user has entered username/password. Vladimir
Vladimir Petrovic wrote:
On Friday 06 June 2003 21:36, Jamie Heilman wrote:
Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut it thanks to a) management interfaces that don't use manage anywhere in the name like ZCacheable_* b) type coercion done through POST requests which seems basically impossible to filter out using apache
Zope will have to be patched or a new product will have to be written to enforce secure management.
There is also a possibility of filtering authentication field when HTTP request passes through reverse proxy.
I think that Apache doesn't suport this, but using rewrite rule it is possible to return unauthorized or forbidden if request contains authentication header. This shouldn't be a problem (if this level of security is really required) since browsers shouldn't send this header anyway if they haven't received unauthorized response and user has entered username/password.
Uhm, but at that moment it's too late, because the username and the password have already traveled the wire in clear test, isn't it? cheers, oliver
There is also a possibility of filtering authentication field when HTTP request passes through reverse proxy.
I think that Apache doesn't suport this, but using rewrite rule it is possible to return unauthorized or forbidden if request contains authentication header. This shouldn't be a problem (if this level of security is really required) since browsers shouldn't send this header anyway if they haven't received unauthorized response and user has entered username/password.
Uhm, but at that moment it's too late, because the username and the password have already traveled the wire in clear test, isn't it?
cheers, oliver
True, however a combination with the previous method can lead to a rather secure setup. Apache can be configured to have two virtual hosts: www.site.com and https://manage.site.com. Public one disables access to /manage and /manage_main methods and filters/blocks authentication headers. So: a) Ordinary management users will never send password in clear text since access to /manage and /manage_main is blocked so they are not going to be asked to do so. (they are not going to use POST method or something similar that we expect of the "evil" user). b) Even if "evil" user manages to obtain the username/password he wouldn't be able to do anything through the public site. And manage site can implement its own restrictions (on source IP or certificate) in the apache config. Vladimir
Thank you very very very much. Ricardo Mensaje citado por Oliver Bleutgen <myzope@gmx.net>:
Ricardo Núñez wrote:
Hi,
How could I avoid sending a cleartext password through the net when I use a http://....../manage? How and where should I configure what? I hope it'd be possible...
I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other things:
- Muuultiple apache virtual hosts - We have a few https sites. - Zope is recently installed, but we have decided to use it very seriously. - People upload their files with FTP... A big security hole. - With Zope we'd like to authenticate with a LDAP authentication server with passwords in the old crypt encryption.
OK, I already know that there are Zope products to do the "LDAP part", that's not an issue.
I notice that the "natural way" to manage Zope sites is through '.../manage' interface. I agree that it lets me use any computer all over the world and that's perfect for me, but.... I have doubt with sending cleartext passwords like FTP does.
Do you just want to give the _possibility_ to log in encrypted? That's easy, just do the encryption with apache. Maybe consider using mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another port, get the requests proxied from apache (and shield the zope port to the outside).
To reliable prevent users from sending passwords unencrypted, you'd have to do a bit more, though. Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
I have a product for that in mind, but it'll take a while before I've time to tackle that.
cheers, oliver
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Saludos, Ing. Ricardo Núñez Webmaster de la DST Universidad Simón Bolívar E-Mail: rinunez@usb.ve
participants (4)
-
Jamie Heilman -
Oliver Bleutgen -
Ricardo Núñez -
Vladimir Petrovic