>>On Sun, 4 Apr 2004, Steve Holmes wrote:
>> . . . Is there any way to get Apache
 >> to use the standard linux passwords
 >> instead of having to create and use
>> separate passwords?  I've seen CUPS do
 >> exactly this.
----
 >Tom Jones <tjones@fastq.com> wrote:
>>Have you considered mod_auth_pam?  I believe
 >> it will do what you're after.
----
Alex LeDonne wrote:
> But please consider the security implications if you do. Basic
> authentication sends the username and password over the wire in
> plaintext. If you're not using SSL, then you're sending account
> passwords free and clear. Gives me the willies.
> 
> You might use Digest instead of Basic, or use SSL.

Vic Odhner agrees with Alex:
PLEASE don't have your system logon passwords
entered in the clear via HTTP.  If you're using
SSL, that's a little better, but still bad.

The bottom line with security is that it is
in direct opposition to productivity and
convenience.  You have to compromise security
to some degree to get anything done.  But sending
passwords out in the clear is an absolute no-no,
and using the same password for multiple things
is -- frankly -- lazy and risky.  (Of course there
are real "single sign-on" systems, using Kerberos
and LDAP, etc., but you really need to do your
homework when setting up that type of thing.)

Vic


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss