apache authentication via nis
Tom Metro
blu at vl.com
Sat Aug 19 14:31:54 EDT 2006
Stephen Adler wrote:
> ...from what I can tell mod_auth_pam is not an official apache
> module, but a 3rd party one.
> I'm wondering how secure these 3rd party modules are...
...
> I think the deal is to restrict http access to https or ssl. Then the
> username password are encrypted.
It should be noted that one of the reasons why it generally isn't
recommended to use something like mod_auth_pam authentication, even with
SSL, is that unlike sshd and other shell login mechanisms, there is no
limit on the speed or quantity of login attempts (unless they've fixed
this in recent years), which can leave your machine vulnerable to brute
force attacks, or even with strong passwords, the denial-of-service side
effects of such attacks.
If access to the web server isn't inherently limited to a LAN, you
should consider limiting access (via Apache or a software or hardware
firewall) to a specific network or set of IPs.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
More information about the Discuss
mailing list