Re: monit ./gc.c ./monit_http.c ./monitor.h ./p.y ....

[Christian Hopp]

On Thu, 2 Oct 2003, Jan-Henrik Haukeland wrote:

> Christian Hopp <address@hidden> writes:

> I haven't looked at the htpasswd implementation, but I assume the
> htpasswd file parsing is meant for reading in user/passwds from a
> htpasswd file used in Apache or on Apache htpasswd format?

Jep... it is a file with just "user:passwd" entries.  While passwd could
be any kind of raw or digest.

> I'm a bit rusty on this but doesn't passwords in htpasswd often if not
> always get encryped by crypt(3)?

There is actually no standard.  You have cleartext, md5, md5apache,
crypt(3).  What ever you like.... but for now I do support cleartext.
Just just as a transition point to move to something else.

The problem is, in http basic auth the passwords are actually cleartext
(or base64) so the what for should we encrypt the passwd for?

> If so, you must encrypt all password in monit with this algorithm
> and also encrypt submitted passwords and compare the encrypted
> password strings.

Easy way... we store in one digest format (e.g. user can choose which
one, set pwdigest [crypt|md5|none]) internally and in htpasswd files.
The browser does still transmit cleartext.  So we digest the received
pwd and compare it against our digested pw-db.

The only thing that is left then... how do we deal with the cli
program of monit.  We can send e.g. the digested pw.  Or... the cli
needs a more complicated connection mechanism.

> I know it's a bit late to ask this question, but what exactly is the
> benefit of using an external htpasswd file?

You can use it as a central source for your web service passwords.  It
is easier to maintain them centrally.

CHopp

-- 
Christian Hopp                                email: address@hidden
Institut für Elektrische Informationstechnik             fon: +49-5323-72-2113
TU Clausthal, Leibnizstr. 28, 38678 Clausthal-Zellerf.   fax: +49-5323-72-3197
                             pgpkey: https://www.iei.tu-clausthal.de/pgp-keys/