On 1/24/06, Jason Keltz <jas@xxxxxxxxxxx> wrote: > On Tue, 24 Jan 2006, Joshua Slive wrote: > > > On 1/24/06, Jason Keltz <jas@xxxxxxxxxxx> wrote: > > > >>> You can use > >>> > >>> <Location /> > >>> AuthPAM_Enabled off > >>> </Location> > >>> > >>> in the appropriate <VirtualHost> to override .htaccess. > >> > >> Excellent. That does work. However, the authentication page still > >> comes up requesting a username/password when I attempt to visit the http > >> version of the page. It's just that any username and password will > >> display the "Internal Server Error". Is there any way to make that > >> failure error come up without even displaying the authentication page? > > > > Not that I know of. > > Joshua, > > I just realized -- if the user types their name and password, hits enter > and gets the "Internal Server Error" page, hasn't their password already > been sent in the clear from browser to server? This would defeat the > purpose of my intention to only allow PAM authentication via https. > Sure, PAM authentication would be off, but the name and password (I > think) would still be sent in the clear. Do you or anyone else have any > suggestions of how to get around this? Well, you can add "AuthType digest" to the <Location /> section. But it sounds to me like you are trying to indirectly tackle a problem that could be addressed more directly. The problem is that .htaccess files apply to both the ssl and non-ssl host. You can prevent this by using AllowOverride to turn .htaccess off in the non-ssl host, or use AccessFileName to change the name of the .htaccess file there to something different. Then nobody should be stupid enough to do "require" on the non-ssl side when they know the only result will be a 500 error. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|