apache authentication via nis
john.abreau at zuken.com
Thu Aug 17 18:16:43 EDT 2006
Stephen Adler wrote:
> I think the deal is to restrict http access to https or ssl. Then the
> username password are encrypted.
> I'm wondering about the fact that the httpd needs read access to the
> /etc/shadow file, thus opening
> a security hole. Is this a real problem?
No, httpd does not need access to /etc/shadow. It just calls libpam.so,
which already handles the system-level authentication.
At the server end, mod_auth_pam is as secure as the rest your system
authentication. The risks of using mod_auth_am are at the browser end.
238 Littleton Rd., Suite 100
Westford, MA 01886
T: 978-392-1777 F: 978-692-4725
E: John.Abreau at zuken.com W: www.zuken.com
More information about the Discuss