You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Laurent Blume <la...@elanor.org> on 2003/11/13 13:44:41 UTC

[users@httpd] Security of using /etc/passwd

Hello all,

I remember reading, some years ago, that it was possible to use /etc/passwd to
authenticate in Apache (as a .htpasswd), but that it was strongly discouraged
because of the security issues that might arise.

However, I can't find that information anymore in Apache documentation,
particularly the security tips...

Is it now impossible to do it at all, or not considered bad anymore, or did I
simply miss the information?

My goal is to convince somebody that replicating the Unix users in Apache's
config is not the Right Way To Do It.
If I'm wrong on that, you're welcome to tell me why, maybe I'm outdated on this :-)

TIA,

Laurent

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security of using /etc/passwd

Posted by Jonas Eckerman <jo...@frukt.org>.

On Thu, 13 Nov 2003 13:44:41 +0100, Laurent Blume wrote:

> /etc/passwd to authenticate in Apache (as a .htpasswd), but that it
> was strongly discouraged

It's actually strongly suggested that you not have any passowrds at 
all in /etc/passwd nowadays. At least on Linux and *BSD.

It's also in most cases strongly suggested that you not use the OSes 
authentication/users/passwords for the web server as well.

If you do have a reason to use the same authentication for the system 
and the web server, I'd suggest (if possible for the OS you're 
running) using PAM and mod_auth_pam (a simple google search should 
direct you to enough info to use this).

/Jonas

-- 
Jonas Eckerman, jonas_lists@frukt.org
http://www.fsdb.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org