Denis Feklushkin <denis.feklush...@gmail.com> writes: > Russ Allbery <r...@debian.org> wrote:
>> There are a couple of problems with this, unfortunately. One is that >> the Kerbeors libraries don't provide you any easy way to do this, so >> mod_auth_kerb would have to invent a custom encoding format for the >> credential cache, which would then also have to be implemented in any >> code that wants to receive the credentials. > In my case the credential file content will be transferred to > another program on other host, and there will be saved to file. I'm afraid that doesn't help. You would still have to define a custom encoding format and add a decoder to the CGI script. >> More seriously, environment variables aren't horribly well-protected >> against various snooping attacks either and don't really solve your >> security problem. It's only a little bit harder to steal environment >> variables from other processes running as the same user. (They're >> visible in /proc, for instance.) > What about sending credential by HTTP headers (script's stdin)? This is > possible even in theory? I suppose it's theoretically possible, but having an Apache module edit the form content on a submission to a CGI script is pretty tricky territory with a lot of potentially nasty side effects. I'd hate to have to write that code, and I'm not sure there are any modules out there doing something like that. > Anyway this is a hack. Credential must be stored on the user's machine > and not somewhere on the Web server between the user and the service:) Yeah, but it's hard to avoid multi-tier applications, and there are security advantages to having the front tier authenticate to the back tier using the user's credentials rather than special application credentials. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
