apache authentication via nis

Tom Metro blu at vl.com
Sat Aug 19 14:31:54 EDT 2006


Stephen Adler wrote:
> ...from what I can tell mod_auth_pam is not an official apache
> module, but a 3rd party one.
> I'm wondering how secure these 3rd party modules are...
...
> I think the deal is to restrict http access to https or ssl. Then the 
> username password are encrypted.

It should be noted that one of the reasons why it generally isn't 
recommended to use something like mod_auth_pam authentication, even with 
SSL, is that unlike sshd and other shell login mechanisms, there is no 
limit on the speed or quantity of login attempts (unless they've fixed 
this in recent years), which can leave your machine vulnerable to brute 
force attacks, or even with strong passwords, the denial-of-service side 
effects of such attacks.

If access to the web server isn't inherently limited to a LAN, you 
should consider limiting access (via Apache or a software or hardware 
firewall) to a specific network or set of IPs.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Discuss mailing list