Ok, I had a second try and got it to work. But "mod_auth_pam" module needs read-only access to /etc/shadow and I don't want to allow that permission. If I do, a malicious user could write a PHP script that catches all my password database, because I need to enable "mod_php5" and "mod_userdir" modules in my server.
"mod_auth_external" doesn't need access to /etc/passwd, because a SGID- SHADOW external agent do that access (oops - I forgot to ask for it: http://www.unixpapa.com/pwauth/ ). By using in that way, the malicious user must do a dictionary attack on that external agent in order to get some passwords. This dictionary attack method will take more time than a dictionary attack on a shadow entry, because PAM freezes for some seconds after an authentication failure. Could you give me another idea? ** Attachment added: "My .htaccess file" http://launchpadlibrarian.net/10111273/.htaccess -- Need package: mod_authnz_external https://bugs.launchpad.net/bugs/154149 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
