Cover V05, I02
Article
Figure 1
Figure 2
Listing 1
Listing 2
Listing 3
Listing 4
Listing 5
Listing 6
Sidebar 1
Sidebar 2
Sidebar 3

feb96.tar

Sidebar: Security

WWW server/browser technology allows custom GUI-based sys admin tools with a minimum of coding. A sys admin could contact the UNIX host using a WWW browser that supports authentication, running on practically any computer/OS! Of course this flexibility introduces a security concern. You don't want just anyone with a WWW browser to access your HTML system administration scripts. Limits also must be placed on accepting incoming data; otherwise a clever hacker could simply duplicate the front end GUI and post his or her own data.

The NCSA httpd supports user, group, and IP address/domain authentication. These mechanisms provide a security level comparable to root login over a standard TCP/IP telnet connection. Let me clarify that. There are three major types of security breaches when using a WWW server/client. First, an intruder might "listen" to the connection and glean the access password. Or, an intruder might copy/substitute the HTML source as it is delivered to the client/server. If intruders can do this, they can just as easily grab your root password as it is delivered across the wire to a remote UNIX box. Commercial servers, such as Netscape, utilize an encryption system that keeps casual IP packet snoopers from viewing sensitive information. Finally, an intruder can utilize holes in the server security to access these administration scripts, or the system itself.

Think about how often you telnet to a machine to do administrative tasks. Are you on a trusted network? If so, the basic authentication mechanisms supported by the free WWW servers will suffice. If you are security conscious and never use telnet, consider investing in a server that does data encryption across the network.

For this article, I will use user authentication. Here are step-by-step instructions for setting up access authentication to the La Tool CGI binary.

1. Create a protected directory for admin tools. I did this in my home directory and called it Dadmintool. Make certain that you log in under a userid that has read and execute privileges for this directory. My httpd runs with the id set to "nobody."

2. Inform the httpd server that this directory contains CGI scripts. For NCSA httpd v1.3, you would go to the configuration file subdirectory for your server, edit the srm.conf file, and make an alias reference to your just-created CGI subdirectory. Here is my entry: 

"ScriptAlias /admin/ /home/ccb8m/Dadmintool".

3. Create a .htaccess file in the CGI subdirectory. The .htaccess file describes the authorization requirements for La Tool or any other admin script in this subdirectory. This is La Tool's .htaccess file:

AuthUserFile /home/ccb8m/Dadmintool/.htpasswd
AuthGroupFile /dev/null
AuthName UNIX AdminTool
AuthType Basic

<Limit GET POST>
require user sys
</Limit>

4. Create a .htpasswd file in the CGI subdirectory. This file looks very similar to /etc/passwd but contains only a login name and the encrypted password. You can limit or grant access to HTML documents independent of users with valid login accounts. To create this file you need to use the htpasswd command. This is supplied in the "support" subdirectory of the httpd 1.3 source release. To create a htpasswd file called .htpasswd containing the user "sys," type the following: 

htpasswd -c .htpasswd sys

You will be prompted for a new password along with password verification. You should run the htpasswd command in your recently created administration binary directory; otherwise you need to move .htaccess and .htpasswd to that directory.


 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com