Christopher Ness wrote:
> On Mon, 2004-10-18 at 10:59, kfogel@collab.net wrote:
>
>>I'd like to make the link when it's done, if it's convenient for you
>>to ping us here again when you're finished.
>
>
> Not quite done, but I'd like some feedback on scraping the /etc/shadow
> file to populate an AuthUserFile for httpd authentication. Is there a
> better way?
>
> http://www.nesser.org/index.php?itemid=315
>
> I put up red flags all around it, and I know people could really shoot
> themselves in the foot (by not using SSL). But who's not to say users
> won't pick the same password as their shell login anyway? And wouldn't
> it be nice to have it update automagically (or every 5 minutes or so).
>
> Could this be done in a more safe way with PAM somehow?
>
I am doing authentication with PAM (mod_auth_pam) so all our NIS users
can authenticate with their ordinary user/password, and doing access
control to the repos with AuthzSVNAccessFile.
If you want local users to be able to authenticate via PAM, you must
give apache read access to /etc/shadow. I've set up a group "shadow"
with members root and wwwrun, and /etc/shadow is
rw-r----- 1 root shadow 611 Aug 24 14:23 /etc/shadow
This is not safer than your solution, but good enough in our environment.
Wolfgang
> Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Oct 19 08:26:55 2004