Inside/outside users and identification (re Emory)

Chris Howard choward at iastate.edu
Fri Apr 5 15:53:35 EST 1996


Marc Salomon Wrote:

> The existing standardized authentication schemes are incapable of handling
> existing user ID databases with any degree of security, so it is impossible to
> reuse a unix /etc/passwd databse over the web at this time (differing crypt
> programs abound).  Further, there is no provision in the cgi specification for
> programatic handling of authentication although the modular servers can easily
> handle this kind of intervention.[1]

We've been looking into tapping into the centralized authentication
of our campus network - kerberos - to authenticate local users
in a web context.  So far I have found out that it can be done,
and that the further issue of passing the login/password in cleartext
between the user's browser and the web server will cause a stir
with the more security-minded folks in charge of the campus network.

It is possible to use the security features of Netscape Commerce
server or Apache with SSL (secure socket layer) to get the user's
login/password in a secure manner.  

I've followed it far enough to see how it can be done, but I haven't
completed the task, yet.  So we are controlling access by  IP subnet,
and those legitimate users coming in through the local ISP are
unable to get to some of our information.
--
Chris Howard    choward at iastate.edu    (515) 294-6521
Iowa State University Library -- Automated Systems Division


More information about the Web4lib mailing list