[2545] in WWW Security List Archive
Re: Apache authentication module
daemon@ATHENA.MIT.EDU (Larry J. Hughes Jr.)
Mon Jul 29 20:24:43 1996
To: scott hollatz <shollatz@d.umn.edu>
cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Thu, 25 Jul 1996 09:25:39 EST."
<199607251425.JAA05732@borg.d.umn.edu>
Date: Mon, 29 Jul 1996 15:28:10 -0500
From: "Larry J. Hughes Jr." <hughes@indiana.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
#There are two approaches: write a correct module following the Apache API or
#hack the server code to open a pipe to a tacacs client.
I suspect you will find that many people have done many things with
respect to Apache auth modules. It's really not very hard once you
carefully examine an example module or two.
I've put together a module that verifies passwords against a Kerberos V4
database, using a digest-based challenge/response mechanism that doesn't
expose passwords to the network. When doing this via Basic Auth over SSL,
it's almost secure. :-) Certainly better than most alternatives I've
seen though.
---
Larry J. Hughes, Jr. hughes@indiana.edu
Indiana University http://copper.ucs.indiana.edu/~hughes/
Author, "Actually Useful Internet Security Techniques," ISBN 1-56205-508-9
