[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: Apache PAM Auth module



Heiko Hund wrote:
Hi,

On Monday 31 March 2008 20:42:05 Kenneth Geisshirt wrote:
The reason for my interest is that I (and a group of friends) have a
subversion repositories with HTTP access. It seems like a good idea to
use PAM as part of the .htaccess file.

have you considered using mod_auth(nz)_external or mod_auth(n)_sasl for this task? The main concern I had using mod_auth_pam in httpd was that it does not work with shadow passwords unless you grant httpd access to /etc/shadow. I think that's a bad idea.

With the modules mentioned above you can use PAM as well, but the actual authentication is done after an indirection and takes place outside of the httpd process. Of course you need some other elevated entity to access /etc/shadow then. In case of mod_auth(nz)_external that is a suid-root binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd, which you might already be using if you host secure SMTP, IMAP or LDAP on the box.

I can't find much documentation on how to glue these together but it does sound like it would work for my situation if the performance hit from an external process to authenticate every page isn't too bad.

Is there an example of the configuration needed for web authentication with no account info somewhere? I'm using Centos and am fairly sure the smtp and imap authentication already tracks the system PAM configuration so the sasl/pam setup is probably already there.

--
  Les Mikesell
   lesmikesell@xxxxxxxxx

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

Add to Google Powered by Linux