Re: [htdig] Indexing Restricted Pages


Subject: Re: [htdig] Indexing Restricted Pages
From: Douglas Kline (kline@head-cfa.harvard.edu)
Date: Thu Dec 21 2000 - 12:31:32 PST


Thanks to all for your responses.

> At 7:39 PM -0500 12/20/00, Douglas Kline wrote:
> >Thanks for your suggestion. Is is possible to use an .htaccess file to
> >restrict access by username?

So is it then not possible to use the .htaccess file to permit access to the
Web pages without username and password by just the htdig process or just one
username's processes while still requiring username and password for all other
accesses?

> Well, this is the point of authentication methods. You could
> certainly make a username/password pair for htdig alone.

Do you specify a different Web username and password combination for htdig to
use from what other processes use? How does one do that? Can this be set up
in the .htaccess file?

> Or, as Dave
> Salisbury mentioned, you could allow access from one particular
> machine--assuming of course that you have a dedicated indexing
> machine or you're running it on the server itself. I believe you can
> do combinations of both of these restrictions too.

This is hardly optimal for us but may be the best we can do if the other
possibilities don't work out.

> You say "but the only thing protecting the password is file
> permissions" for the authorization and -u flag to htdig. True, but...
>
> I'd guess that if making the config file owned by root isn't good
> enough, other passwords on your system are vulnerable. (e.g. cracking
> the .htaccess passwords by brute force isn't bad if you have the
> crypt readable in front of you.)

A valid point. There's the issue thought that in our installation the htdig
files are intended to be owned by a non-root username and that users of that
username will be able to modify htdig files. However password security for
root may be no better than for other usernames. There's also the issue of
updating the file with the username and password when they change. But that's
not a major problem. There is here a great concern about security and we are
very careful about such things as passwords. Unless one of the ideas written
above pans out, however, we may have to resort to something like that.

Douglas Kline

========
Douglas Kline
kline@head-cfa.harvard.edu

------------------------------------
To unsubscribe from the htdig mailing list, send a message to
htdig-unsubscribe@htdig.org
You will receive a message to confirm this.
List archives: <http://www.htdig.org/mail/menu.html>
FAQ: <http://www.htdig.org/FAQ.html>



This archive was generated by hypermail 2b28 : Thu Dec 21 2000 - 12:42:08 PST