Right now one of my clients is using a pretty inelegant system to handle website authentication: as far as I can tell, they use htpasswd to change the website password every time the user changes his system password (i.e., the password used for shell access, email, etc.). The website password is also unencrypted, so anyone eavesdropping on their website requests would immediately know their system password. So I'd like to do two things for them: 1) Get SSL set up on their site, and 2) Have Apache consult the system-password list for website authentication. An alternative to item 2 is to choose different passwords for the website than for shell and email access, but that's more of a nuisance than our clients would want. So: what's the best way to get Apache to consult the system password list? A little googling turned up a couple possible solutions: using PAM somehow (I see Apache::AuthPAM on CPAN), or mod_auth_sys. Neither seems to be mentioned very often in Google, which is my measure of authenticity. What would everyone on here suggest? -- Stephen R. Laniel steve@laniels.org +(617) 308-5571 http://laniels.org/ PGP key: http://laniels.org/slaniel.key
Attachment:
signature.asc
Description: Digital signature