<snip> > What I mean is that " PHP application send the password to the C CGI > program which performs the authentication using PAM". > > but what is it the different with the "does the user send the password > to the C CGI program which performs the integration using PAM"? > > I think your method do make sense that I will use SSL to send the > password to a CGI program ,and then the CGI program performs the > authentication using PAM. IMHO this is still *way* too complex. When I fed "PHP PAM" into google, I got this: http://pecl.php.net/package/PAM Beyond that; do you need PAM at all? The only sensible use of PAM from a PHP script I can think of is if the users need, have and use standard log in accounts on the machine and you want to share the usernames and passwords. If they don't have accounts then why not use a database as is the more normal method of doing account management / authorisation in web applications. > But it happens at the user login. After login, I need save the > username and password in the PHP session, IIRC if you've set up things to require authenication at the HTTP layer, the username and password are cached in the brower and presented on each subsequent request. Given HTTP is (supposed to be) stateless I can't see how else it would do this. But how you do this is entirelly OT for this list. > and for security , For security I think you should avoid saving the password in the PHP app if at all possible. PAM goes to a lot of trouble to try to make sure passwords don't leak out. You don't want to have to repeat this work. > I think I should save the hashed password with MD5 which can be sent > back by CGI program. > > When user performs some operations on the PHP application , for > security, I need to send the username and password to CGI program > which will auth it again, and then > do some operations, but at this time the password I sent is MD5 > password , so i need C CGI program auth the MD5 password. This won't work for the following reasons: 1. The PAM interface takes a plain text password. MD5 is a hash and thus is one way; that the point. So even if you keep the MD5 hash of the password around, you won't be able to recover the text of the password; nor will you be able to use it to authenticate the user. 2. pam_unix with md5 passwords enabled doesn't store the MD5 sum of the password, it stores a complex hash of the password that _includes_ multiple MD5 sum computations. You don't want to have to re-implement this. HTH Cheers, - Martin _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list