Forum: Ruby on Rails apache-based passwd authentication of RoR app dir?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Darek K. (Guest)
on 2005-11-18 08:04
Hello,

I would like to be able to use existing entries from /etc/passwd file to
authenticate users before they can access RoR application, run behind
apache on
Debian Linux.

Few quections:
1) did anybody used
AuthUserFile /etc/apache/my_converted_passwd_file

in /etc/apache/httpd.conf
to do this?

2) assuming this works as it should, haw should I get username
information
In python/cgi module  that would be os.environ.get('REMOTE_USER')

3) where is the proper place in RoR application directory tree to code
it (== get username, UID, GID, group_name and then display on the top
of the each accessed page:
User X, group Y, access priviledge regular/superuser

Sorry for rather naive questions but I am just starting with RoR.
Thanks a lot for your help.

Darek
andy (Guest)
on 2005-11-18 10:09
(Received via mailing list)
> I would like to be able to use existing entries from /etc/passwd file to
> authenticate users before they can access RoR application, run behind
> apache on
> Debian Linux.

As a rule of thumb, I'd say this is a bad idea, as a malicious party
could use your rails login system to brute force your user's passwords.
While this could be done with any application, putting your actual UNIX
login passwords on the front line is probably a bad idea.

Discussion of why using /etc/passwd for web based authentication is
discussed in more detail here:
http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauth

I'd recommend fresh passwords for this (or any) application, rather than
using existing passwords, such as those in /etc/passwd.

Hope that helps,

Andy
Darek K. (Guest)
on 2005-11-18 10:29
andy wrote:
>> I would like to be able to use existing entries from /etc/passwd file to
>> authenticate users before they can access RoR application, run behind
>> apache on
>> Debian Linux.
>
> As a rule of thumb, I'd say this is a bad idea, as a malicious party
> could use your rails login system to brute force your user's passwords.
> While this could be done with any application, putting your actual UNIX
> login passwords on the front line is probably a bad idea.

Agreed ;-). I should have mentioned that all this (passwords +
RoR/Apache server) are for a closed Intranet only. Using the existing
usernames/passwd does not open an extra hole and is easier for the
end-users and us (database for RoR will contain links to result files on
Samba server with permissions determined by Intranet-wide
usernames/passwds).

Thanks for your help

Darek
This topic is locked and can not be replied to.