Joshua Slive wrote:
On 1/24/06, Jason Keltz <jas@xxxxxxxxxxx> wrote:On Tue, 24 Jan 2006, Joshua Slive wrote:On 1/24/06, Jason Keltz <jas@xxxxxxxxxxx> wrote:You can use <Location /> AuthPAM_Enabled off </Location> in the appropriate <VirtualHost> to override .htaccess.Excellent. That does work. However, the authentication page still comes up requesting a username/password when I attempt to visit the http version of the page. It's just that any username and password will display the "Internal Server Error". Is there any way to make that failure error come up without even displaying the authentication page?Not that I know of.Joshua, I just realized -- if the user types their name and password, hits enter and gets the "Internal Server Error" page, hasn't their password already been sent in the clear from browser to server? This would defeat the purpose of my intention to only allow PAM authentication via https. Sure, PAM authentication would be off, but the name and password (I think) would still be sent in the clear. Do you or anyone else have any suggestions of how to get around this?Well, you can add "AuthType digest" to the <Location /> section. But it sounds to me like you are trying to indirectly tackle a problem that could be addressed more directly. The problem is that .htaccess files apply to both the ssl and non-ssl host. You can prevent this by using AllowOverride to turn .htaccess off in the non-ssl host, or use AccessFileName to change the name of the .htaccess file there to something different. Then nobody should be stupid enough to do "require" on the non-ssl side when they know the only result will be a 500 error.
Hi Joshua,I would like to do that, but the problem is, I still need to leave the .htaccess functionality on the non-ssl side untouched. There are users using basic authentication on the non-ssl side, and doing many other things in their personal .htaccess files and I can't break any of that. It's just that I am requird to provide the new PAM functionality, and don't want to implement it in a way that risks the security of my passwords.
I had really figured the solution would be relatively trivial. I figured that Apache would have a standard mechanism that would simply allow me to specify which modules are available to which virtual hosts. I figured that maybe I could do a "ClearModuleList" and then "AddModule" for each module, but these functions don't work inside the VirtualHost definitions, and as you said, this feature isn't in Apache right now. It is left up to the module developer... The problem is, I think that even if I modified the mod_auth_pam module to only allow an enable if the calling URL was https, this wouldn't solve the problem since the Username and Password box would still come up, and the password would still be sent in the clear before the web server would return an error message. The only way to make things stop hard in their tracks is by not having the module loaded... It really seems like a solution that needs to come from within the web server.
I could hard-code the digest authentication into the "location /" call, as you said, but then I would mess up basic authentication using the ssl virtual host as well.
Jason. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|