[users@httpd] PAM authentication, migrating from 2.0 to 2.2

Wed, 04 Jul 2007 04:28:51 -0700 

Dear Experts,
I am in the process of migrating a 2.0.x system to 2.2 and need some advice about how best to do authentication in the new system. On the old machine I am using mod_auth_pam to do authentication for a Subversion repository and a personal Webmail system, and mod_auth_pgsql for a public CGI application. This message is about PAM, and I'll post another thread about PostgreSQL. 


The old and new systems are running Debian, which includes a 
mod_auth_pam package.  There is a bug report about getting it to work 
with 2.2 here:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394097



According to that bug report, some users have got this module to work 
with 2.2, but it seems that quite a lot of fiddling is necessary.  It 
has also been discussed on this list, e.g. 
http://thread.gmane.org/gmane.comp.apache.user/61620/focus=61623.  This 
complexity has made me consider the alternatives.


One option is mod_authn_pam by Paul Querna and Axel Grossklaus here:  
http://mod-auth.sourceforge.net/docs/mod_authn_pam/

This looks like it could be exactly what I need, but this mod-auth 
Sourceforge project seems to have been neglected for a few years and 
there is no download link for mod_authn_pam.  (There is a cvsweb link, 
and I guessed that it might have a way to download it, but it wasn't 
working.)  Does anyone know anything about this module's status?



One issue with these PAM modules is that they require that the user 
Apache runs as can read the shadow password file, which is not ideal 
for security.  So it seems that some people prefer to use 
mod_auth*_external.  Would you experts recommend this?


In summary, my choice is between
- Getting the existing Debian-packaged mod_auth_pam to work.
- Using the 'new' mod_authn_pam.
- Using mod_authnz_external.

Which of these would you recommend, with these requirements:
- Mainly to work with Subversion.
- Normal internet levels of security.
- Debian.
- Getting it working with minimum fuss.


Many thanks for any suggestions.

Phil.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to