[H-GEN] Authentication with Apache
Martin Pool
martinp at mincom.com
Fri Apr 16 03:29:25 EDT 1999
(Note reply-to: being general at humbug.org.au vs Martin Pool <martinp at mincom.com>)
Ben Fowler wrote:
> A minor point: if what you want to do is authenticate against a machine
> what has a bunch of user accounts, letting Apache do this might not be a
> crash hot idea...
A good point.
> As far as I know, HTTP/Apache/whatever has no mechanisms for controlling
> the number of retries for failed authentication, and there are no
> meaningful mechanisms in place to prevent crackers from possibly writing a
> script to remotely crack passwords over your network via a web form. Real
> user accounts can be comprimised in this way.
But doing this using PAM increases the exposure no more than letting
people set their web and account passwords to be the same by other
means. The same applies for FTP and POP3 servers, many of which don't
address these issues.
Doing it using PAM allows a common PAM filter module to enforce
backoffs, delays and logging, which is a good thing.
--
/\\\ Mincom | Martin Pool | martin.pool at mincom.com
// \\\ | Software Engineer | Phone: +61 7 3303-3333
\\ /// | Mincom Pty. Ltd. |
\/// | Teneriffe, Brisbane | Speaking for myself only
--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.
More information about the General
mailing list