[H-GEN] Authentication with Apache

Ben Fowler b1.fowler at student.qut.edu.au
Fri Apr 16 02:52:48 EDT 1999


(Note reply-to: being general at humbug.org.au vs Ben Fowler <b1.fowler at student.qut.edu.au>)

Hi Josh and list,

On Fri, 16 Apr 1999, Marshall, Joshua wrote:

> I've been looking at the .htaccess files which restrict access to
> various directories in Apache with a user/password combination.  It uses
> a file with the user's name and an encrypted password in it.  I'm
> wanting to know if there's any way to use PAM to authenticate the users
> so that if one of our users changes his account password then the web
> page password will change also.

A minor point: if what you want to do is authenticate against a machine
what has a bunch of user accounts, letting Apache do this might not be a
crash hot idea...

As far as I know, HTTP/Apache/whatever has no mechanisms for controlling
the number of retries for failed authentication, and there are no
meaningful mechanisms in place to prevent crackers from possibly writing a
script to remotely crack passwords over your network via a web form.  Real
user accounts can be comprimised in this way.

Thus, you might want to take this issue into account when setting up
Apache to do this, especially if security is going to be an issue at your
site - IIRC the Apache manual contains a warning to this effect.

Hope this helps in some minor way... ;-)

- warmest regards,

Ben.

--
 Ben Fowler, 2nd yr. BInfTech(CompSci,DataCommunications), QUT
   EMAIL:     ben.fowler at humbug.org.au  b1.fowler at student.qut.edu.au 
   WEB PAGE:  http://azure.humbug.org.au/~zuul/ 

 "I used to be disgusted; now I try to be amused." -- Elvis Costello


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.



More information about the General mailing list