[Zope] Security doubt
Fri, 6 Jun 2003 17:57:18 -0400
Thank you very very very much.
Mensaje citado por Oliver Bleutgen <email@example.com>:
> Ricardo Núñez wrote:
> > Hi,
> > How could I avoid sending a cleartext password through the net when I use
> > http://....../manage? How and where should I configure what? I hope it'd
> > possible...
> > I'm a RedHat 7.3, Apache 1.3., Zope FastCGI computer manager. Other
> > - Muuultiple apache virtual hosts
> > - We have a few https sites.
> > - Zope is recently installed, but we have decided to use it very
> > - People upload their files with FTP... A big security hole.
> > - With Zope we'd like to authenticate with a LDAP authentication server
> > passwords in the old crypt encryption.
> > OK, I already know that there are Zope products to do the "LDAP part",
> > not an issue.
> > I notice that the "natural way" to manage Zope sites is through
> > interface. I agree that it lets me use any computer all over the world
> > that's perfect for me, but.... I have doubt with sending cleartext
> > like FTP does.
> Do you just want to give the _possibility_ to log in encrypted? That's
> easy, just do the encryption with apache. Maybe consider using
> mod_proxy/mod_rewrite instead of FastCGI, and let zope run on another
> port, get the requests proxied from apache (and shield the zope port to
> the outside).
> To reliable prevent users from sending passwords unencrypted, you'd have
> to do a bit more, though. Common wisdom seems to be to filter out
> .*manage.* requests in apache (search the mailing lists for that).
> I have a product for that in mind, but it'll take a while before I've
> time to tackle that.
> Zope maillist - Zope@zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-dev )
Ing. Ricardo Núñez
Webmaster de la DST
Universidad Simón Bolívar