[Zope] Security doubt

Oliver Bleutgen myzope@gmx.net
Fri, 06 Jun 2003 16:35:48 +0200


Ricardo Núñez wrote:
> Hi,
> 
> How could I avoid sending a cleartext password through the net when I use a
> http://....../manage? How and where should I configure what? I hope it'd be
> possible...
> 
> I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other things:
> 
> - Muuultiple apache virtual hosts
> - We have a few https sites.
> - Zope is recently installed, but we have decided to use it very seriously.
> - People upload their files with FTP... A big security hole.
> - With Zope we'd like to authenticate with a LDAP authentication server with
> passwords in the old crypt encryption. 
> 
> OK, I already know that there are Zope products to do the "LDAP part", that's
> not an issue.
> 
> I notice that the "natural way" to manage Zope sites is through '.../manage'
> interface. I agree that it lets me use  any computer all over the world and
> that's perfect for me, but.... I have doubt with sending cleartext passwords
> like FTP does.

Do you just want to give the _possibility_ to log in encrypted? That's 
easy, just do the encryption with apache. Maybe consider using 
mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another 
port, get the requests proxied from apache (and shield the zope port to 
the outside).

To reliable prevent users from sending passwords unencrypted, you'd have 
to do a bit more, though. Common wisdom seems to be to filter out 
.*manage.* requests in apache (search the mailing lists for that).

I have a product for that in mind, but it'll take a while before I've 
time to tackle that.

cheers,
oliver