Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
I think the deal is to restrict http access to https or ssl. Then the username password are encrypted. I'm wondering about the fact that the httpd needs read access to the /etc/shadow file, thus opening a security hole. Is this a real problem? John Abreau wrote: > Stephen Adler wrote: >> Thanks Andrew, from what I can tell mod_auth_pam is not an official >> apache module, >> but a 3rd party one. am I correct about that? There also seems to be >> an perl one out there >> as well. I'm wondering how secure these 3rd party modules are... >> > > mod_auth_pam uses the same authentication as your shell account. That > means when you use it in an unencrypted HTTP session, you're sending > your password in clear text. > > If you limit use of mod_auth_pam to SSL-encrypted sessions, you > eliminate this problem. > >
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |