Apache-based passwd authentication of RoR app dir?


#1

Hello,

I would like to be able to use existing entries from /etc/passwd file to
authenticate users before they can access RoR application, run behind
apache on
Debian Linux.

Few quections:

  1. did anybody used
    AuthUserFile /etc/apache/my_converted_passwd_file

in /etc/apache/httpd.conf
to do this?

  1. assuming this works as it should, haw should I get username
    information
    In python/cgi module that would be os.environ.get(‘REMOTE_USER’)

  2. where is the proper place in RoR application directory tree to code
    it (== get username, UID, GID, group_name and then display on the top
    of the each accessed page:
    User X, group Y, access priviledge regular/superuser

Sorry for rather naive questions but I am just starting with RoR.
Thanks a lot for your help.

Darek


#2

I would like to be able to use existing entries from /etc/passwd file to
authenticate users before they can access RoR application, run behind
apache on
Debian Linux.

As a rule of thumb, I’d say this is a bad idea, as a malicious party
could use your rails login system to brute force your user’s passwords.
While this could be done with any application, putting your actual UNIX
login passwords on the front line is probably a bad idea.

Discussion of why using /etc/passwd for web based authentication is
discussed in more detail here:
http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauth

I’d recommend fresh passwords for this (or any) application, rather than
using existing passwords, such as those in /etc/passwd.

Hope that helps,

Andy


#3

andy wrote:

I would like to be able to use existing entries from /etc/passwd file to
authenticate users before they can access RoR application, run behind
apache on
Debian Linux.

As a rule of thumb, I’d say this is a bad idea, as a malicious party
could use your rails login system to brute force your user’s passwords.
While this could be done with any application, putting your actual UNIX
login passwords on the front line is probably a bad idea.

Agreed ;-). I should have mentioned that all this (passwords +
RoR/Apache server) are for a closed Intranet only. Using the existing
usernames/passwd does not open an extra hole and is easier for the
end-users and us (database for RoR will contain links to result files on
Samba server with permissions determined by Intranet-wide
usernames/passwds).

Thanks for your help

Darek