Apache2 & PAM authorization

Toggle sidebar Toggle sidebar
P

Praetor

Diamond Member
Oct 14, 1999
4,498
4
81
I've got Apache2 setup on my server running gentoo linux, just to try and teach myself how to build a website from scratch. Getting static stuff up and running is fairly cake, and I've got some basic PHP stuff going on too.

One of the projects I've been working on though (Webcomics collector) requires authorization through .htaccess. Since I use PAM for the rest of the system, I automatically chose the mod_auth_pam module for Apache2 figuring I should be able to use my existing username to login.

Thus far, I've been unable to log in either remotely (from another computer on the network) or locally to the page. My .htaccess is set up correctly (I believe), both mod_auth_pam and mod_auth_sys_group are being loaded (the second module being for shadow passwords, as I understand it). My .htaccess looks something like this....

uthType Basic
AuthName "Webcomics Collector"
AuthPAM_Enabled on
Require group users
Click to expand...

Any suggestions as to what I can do? I've been trying to hunt down a good HOWTO, but haven't found one as of yet......
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Sending your system password over a network without encryption isn't the best idea in the world. Atleast use mod_ssl to improve that a bit. :)
 
P

Praetor

Diamond Member
Oct 14, 1999
4,498
4
81
mod_ssl is indeed enabled. :p It's all done locally with the exception of when I ssh into the box, so I'm not as worried as normally would be. :p And thanks for that link, I was slowly coming to find out that that might be the problem. I'm off to chgrp the /etc/shadow file now! Hopefully this will work.

Any ill effects to this?
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Any ill effects to this?
Click to expand...

Oh just the fact that the web server can read all of the passwords in the shadow file, so if someone breaks into your web server they now have access to all of the passwords on your system to take home and crack. The shadow file is readable by root only for a reason, I would really recommend against that and suggest you find another way to do your auth.

I noticed in Debian there's a package called libapache-mod-auth-shadow that should do what you want, as for implementing it in Gentoo, you're on your own.
 
P

Praetor

Diamond Member
Oct 14, 1999
4,498
4
81
Originally posted by: Nothinman
Any ill effects to this?
Click to expand...

Oh just the fact that the web server can read all of the passwords in the shadow file, so if someone breaks into your web server they now have access to all of the passwords on your system to take home and crack. The shadow file is readable by root only for a reason, I would really recommend against that and suggest you find another way to do your auth.

I noticed in Debian there's a package called libapache-mod-auth-shadow that should do what you want, as for implementing it in Gentoo, you're on your own.
Click to expand...

Interesting. This is what I thought the plugin was supposed to do from the beginning. Shouldn't be too hard to add it to gentoo though. I just won't be able to "emerge" it. :p I should be able to download the source, compile it, test it, and put /etc/shadow back to being readable only by root.

Thank you both for your help!
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom