[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mod_auth_pam



On Wed, Jan 31, 2001 at 01:55:39PM +0100, Ingo Luetkebohle wrote:
> On Tue, Jan 30, 2001 at 01:41:09PM -0500, Ben Collins wrote:
> > Not sure about your error message, but pam_unix.so cannot be used under
> > mod_auth_pam.
> 
> Uh, it cannot be used to authenticate from /etc/shadow --
> authenticating from /etc/passwd works fine!

And then, any one silly enough not to have shadow enabled, deserves to
not even have a machine capable of being networked to the internet :)

> > So you see, it cannot authenticate for say "joe". I'm pretty sure the
> > mod_auth_pam docs mention this, and possible workarounds.
> 
> There are basically two:
> 	1) making /etc/shadow readable to apache (not recommended)
> 	2) use mod_auth_external which has a more liberal helper
> 	   application
> 
> I might add at this point, that in light of the above, the decision
> for the PAM supplied helper app not to authenticate other UID's than
> the calling one seems more and more dubious to me. YMMV, of course.

Um, so you would rather it allow any user to use this application to
attempt brute force attacks against /etc/shadow?

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'



Reply to: