SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For example, a machine I have runs Centos 6 and hosts a website, when I click on a certain link (ive made it do this) a dialog box opens up asking for username/password authentication over https which uses PAM (local accounts are still being used). How could this be done on Slackware without PAM (I am not actually asking how this would get done, but what would be used rather than PAM)?
If you don't want to use PAM for a web server, you can use CGI scripts or PHP code to simulate the same functionality, without the security.
So, obviously I don't know how this works. How come apache can't just use regular user authentication for this like programs such as postfix/dovecot can? Also, I thought PAM was insecure (or that it's complex which can lead to being insecure for some?)? Just seems confusing to me thats all, why does apache need PAM when other software (even vsftpd) does not need it.
In your httpd.conf you'd add lines that look like this for a dual authentication against the shadow database (which uses pwauth - included in my package) as well as a speparate htaccess file with custome accounts (for instance people you do not want to give shell access):
No worries, there's a manual.....
The first two paragraphs should help you better understand "why PAM instead of the local authentication subsystem ?".
Quote:
How come apache can't just use regular user authentication
It can and in high security environment, it does (though that's to segregate accounts in the DMZ from domain accounts, which means if you loose control of an asset in the wild lands, it wont create an exploitation path into the domain).
Quote:
I thought PAM was insecure
You have to write rules for it and if you screw that up, you can leave a hole in the system, or conversely you can make the thing so damn secure even you can't get back into it (trust me, I know this for true...)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.