On Thu, 2 Aug 2012 22:33:13 +0530 Arpit Tolani <arpittolani@xxxxxxxxx> wrote: > Why are you using pam authentication for web server? Well, because regular users on the system shall be able to access certain private areas of the HTTP tree. > Using PAM authentication with apache/ngnix is a very bad idea. Here > are some reasons : > > * The Web technology provides no governors on how often or how rapidly > password (authentication failure) retries can be made. That means that > someone can hammer away at your system's root password using the Web, > using a dictionary or similar mass attack, just as fast as the wire > and your server can handle the requests. In this case the pam service configuration has a rule added that only users within a certain group are able to use this at all; root is not in that group of course. So this limits potential dictionary attacks to said users. Add to this a fail2ban ruleset, that will disallow access to the server from the originating IP after a number of failed login attempts. > * Web authentication passwords (at least for Basic authentication) > generally fly across the wire, and through intermediate proxy systems, > in what amounts to plain text. "O'er the net we go/Caching all the > way;/O what fun it is to surf/Giving my password away!" That server is TLS only. No plaintext goes over the wire, and caching is mutually exclusive with TLS (a proxy is a MitM, from a cryptography point of view). > A possible solution for you will be to Add all your users in LDAP and > use LDAP auth instead. Benefits of using LDAP auth are > > - All apache servers can access LDAP server & create a centralized > authentication setup. And the benefit of this is? OpenLDAP is a heavyweight beast, and the password would still go over the wire for basic auth. > - You can configure LDAP on secure port and all data transfer will be > done on SSL Well, would not be very helpful if the server frontend was still plaintext HTTP. Wolfgang _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list