|
|
|
Weaver
|
 Posted:
Tue Oct 12, 2004 9:41 pm |
|
|
|
PROfessional Member
Joined: 18 Jun 2002
Posts: 2587
Location: /home/weaver/
|
|
|
Back to top
|
|
|
|
Dj_baby
|
|
Posted:
Wed Oct 13, 2004 12:01 am |
|
|
|
PRO Level 5
Joined: 02 Jun 2004
Posts: 165
Location: belgie
|
|
i think there gona be noobs that wuld ask how do i get on it i mean
how the can type and where the can do that
"htpasswd -c"
the program that the can use fore doing that
my favoriet programm is putty
if you know what i mean
greets Dj_baby
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
sceaser
|
|
Posted:
Thu Feb 23, 2006 1:38 am |
|
|
|
PRO Level 3
Joined: 28 Dec 2004
Posts: 59
Location: MARS
|
|
Just remember this is not secure anyone with some type of sniffer
can read this data as it is sent over the network. Just like ftp without encryption your asking for trouble for sensitive documents.
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
Weaver
|
|
Posted:
Thu Feb 23, 2006 1:48 am |
|
|
|
PROfessional Member
Joined: 18 Jun 2002
Posts: 2587
Location: /home/weaver/
|
| sceaser wrote: |
Just remember this is not secure anyone with some type of sniffer
can read this data as it is sent over the network. Just like ftp without encryption your asking for trouble for sensitive documents. |
Not just anyone. They would have to be between your machine and the target server in the case of a network sniffer.
Overall it is weak and dangerous compared to other systems available. However, if you utilize HTTPS (SSL/TLS) you are fine.
-Weaver
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
imnuts
|
|
Posted:
Thu Feb 23, 2006 1:59 am |
|
|
|
Support Team
Joined: 24 Mar 2004
Posts: 14585
Location: Boothwyn, Pennsylvania
|
|
i found a little better (IMO) way of doing the same basic thing. Instead of creating a .htaccess file in the folder, I add the directory protection to the httpd.conf file so that i know people can't download the .htaccess file, although apache isn't supposed to let them anyway, it makes me feel a little better. From what I've read on it, Digest instead of Basic should be slightly more secure as I think that encodes the transmitted info, but isn't as compatible with stuff.
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
Weaver
|
|
Posted:
Thu Feb 23, 2006 10:15 am |
|
|
|
PROfessional Member
Joined: 18 Jun 2002
Posts: 2587
Location: /home/weaver/
|
| imnuts wrote: |
| i found a little better (IMO) way of doing the same basic thing. Instead of creating a .htaccess file in the folder, I add the directory protection to the httpd.conf file so that i know people can't download the .htaccess file, although apache isn't supposed to let them anyway, it makes me feel a little better. From what I've read on it, Digest instead of Basic should be slightly more secure as I think that encodes the transmitted info, but isn't as compatible with stuff. |
The httpd.conf is how I would recommend doing it if you are one of the only users. However, if you have multiple users utilizing your Apache server, it can get to be a pain in the neck and thus .htaccess files are nice.
Generally Apache is setup to disallow ^.ht* files from being downloaded. If yours isn't, somebody (including myself) would be glad to show you.
Digest authentication is better than Basic, but isn't well supported, rather it is obscure. Digest uses MD5 hashes whereas Basic just base64 encodes the password.
-Weaver
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
sceaser
|
|
Posted:
Sun Feb 26, 2006 5:41 pm |
|
|
|
PRO Level 3
Joined: 28 Dec 2004
Posts: 59
Location: MARS
|
|
Yes very correct the sniffer would have to be localish and yes SSL is a good way to enrypt the pass info for a unencrypted htaccess file
I have just done that very thing on my site for a few security tools
|
|
|
|
|
|
|
|
Back to top
|
|
|
|
|
Back to top |
|
|
|
|
|
