[Zope] Security doubt
Ricardo Núñez
rinunez@usb.ve
Fri, 6 Jun 2003 17:57:18 -0400
Thank you very very very much.
Ricardo
Mensaje citado por Oliver Bleutgen <myzope@gmx.net>:
> Ricardo Núñez wrote:
> > Hi,
> >
> > How could I avoid sending a cleartext password through the net when I use
> a
> > http://....../manage? How and where should I configure what? I hope it'd
> be
> > possible...
> >
> > I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other
> things:
> >
> > - Muuultiple apache virtual hosts
> > - We have a few https sites.
> > - Zope is recently installed, but we have decided to use it very
> seriously.
> > - People upload their files with FTP... A big security hole.
> > - With Zope we'd like to authenticate with a LDAP authentication server
> with
> > passwords in the old crypt encryption.
> >
> > OK, I already know that there are Zope products to do the "LDAP part",
> that's
> > not an issue.
> >
> > I notice that the "natural way" to manage Zope sites is through
> '.../manage'
> > interface. I agree that it lets me use any computer all over the world
> and
> > that's perfect for me, but.... I have doubt with sending cleartext
> passwords
> > like FTP does.
>
> Do you just want to give the _possibility_ to log in encrypted? That's
> easy, just do the encryption with apache. Maybe consider using
> mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another
> port, get the requests proxied from apache (and shield the zope port to
> the outside).
>
> To reliable prevent users from sending passwords unencrypted, you'd have
> to do a bit more, though. Common wisdom seems to be to filter out
> .*manage.* requests in apache (search the mailing lists for that).
>
> I have a product for that in mind, but it'll take a while before I've
> time to tackle that.
>
> cheers,
> oliver
>
>
>
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
Saludos,
Ing. Ricardo Núñez
Webmaster de la DST
Universidad Simón Bolívar
E-Mail: rinunez@usb.ve