[Hcoop-discuss] Web passwords
Adam Chlipala
adamc at hcoop.net
Mon Oct 17 12:21:23 EDT 2005
ntk at hcoop.net wrote:
>We definitely don't want users getting direct access to /etc/shadow,
>because there are bound to be users with weak/crackable passwords.
>Probably most users, for that matter. I thought the whole point of PAM
>was to give an API for checking passwords without granting access to the
>encrypted passwords themselves or relying on a particular underlying
>authentication mechanism.
>
>
The documentation for this module backs up the assertion that www-data
would need to be given read access to /etc/shadow. My understanding is
that there is no "PAM daemon" that the module consults for
authentication; rather, it follows PAM configuration itself, which is
why it would need those permissions.
Based on what I've learned so far, I'm thinking that we should stick
with separate web passwords. I'm still open to suggestions, though.
More information about the HCoop-Discuss
mailing list