apache authentication via nis
Stephen Adler
adler at stephenadler.com
Thu Aug 17 17:28:27 EDT 2006
I think the deal is to restrict http access to https or ssl. Then the
username password are encrypted.
I'm wondering about the fact that the httpd needs read access to the
/etc/shadow file, thus opening
a security hole. Is this a real problem?
John Abreau wrote:
> Stephen Adler wrote:
>> Thanks Andrew, from what I can tell mod_auth_pam is not an official
>> apache module,
>> but a 3rd party one. am I correct about that? There also seems to be
>> an perl one out there
>> as well. I'm wondering how secure these 3rd party modules are...
>>
>
> mod_auth_pam uses the same authentication as your shell account. That
> means when you use it in an unencrypted HTTP session, you're sending
> your password in clear text.
>
> If you limit use of mod_auth_pam to SSL-encrypted sessions, you
> eliminate this problem.
>
>
More information about the Discuss
mailing list