Re: CGI/1.0: last call

Rob McCool (robm@ncsa.uiuc.edu)
Sun, 5 Dec 1993 17:08:05 -0600


/*
* Re: CGI/1.0: last call by ts (decoux@moulon.inra.fr)
* written on Dec 5, 1:40pm.
*
* > No. Password should be kept inside the server for security reasons.
* > The environment variable REMOTE_USER is only defined if user has
* > successfully authenticated himself. This should be enough.
*
* I *need* a password to open an Oracle database, I don't want to write
* a cracker to retrieve it from password file.
*
* username:password can be send in stdin.
*/

The problem is that the username:password style doesn't work with future PEM
and Kerberos based authentication schemes.

I don't know if I agree with Ari's security objection, but making the
unencrypted passwords places a large amount of trust between script writers
and system administrators (not necessarily in your case, but in general when
scripts are commonly available software). This is really the only reason I
can see for not making the password available to the script. Have I missed
something?

I would ask that you reconsider how you are planning to do this, perhaps you
should maintain your own simple password file and grab the user's Oracle
password from this file. This way, people do not have their Oracle passwords
sent across the net, only their HTTP passwords, and in the future, only an
encrypted request. The drawback is that you have to maintain two password
files.

If this is completely unacceptable, or I have missed something, please let
me know. I'll consider making the Authorization: line available to the
script, but I am objected to it.

--Rob