[svlug] rehearsal: auth_pam and apache2
Ivan Sergio Borgonovo
mail at webthatworks.it
Sun Aug 13 13:38:13 PDT 2006
On Fri, 11 Aug 2006 15:10:22 +0200
Ivan Sergio Borgonovo <mail at webthatworks.it> wrote:
> I'd like to use pam authentication for my svn server.
OK I read a lot... but I still don't have a clear picture of what should I do to avoid duplicating users credentials in configuration files.
I read this
http://pam.sourceforge.net/mod_auth_pam/shadow.html
and with this configuration:
<Location /svn>
DAV svn
SVNPath /var/www/svn
AuthType Basic
AuthName "SVN"
AuthPAM_Enabled on
Require valid-user
Require group $group
</Location>
and
Group shadow
in /etc/apache2.conf
it works.
But I'm not willing to let Apache read my shadow since I may commit some error in my application coding and I don't want that in spite of owning just Apache they will own my box.
I read this too:
http://pam.sourceforge.net/mod_auth_pam/
"
Related Modules
For authentication against /etc/shadow, I recommend
mod_authnz_external. For use with LDAP, several LDAP modules are
available, choose a recent one.
"
But it seems that these modules haven't been packaged for sarge.
I don't see any alternative other than using subversion custom server over ssh and renouncing to webdav.
The "good thing" about using mod_authnz_external seems to be adding an extra layer between Apache and my shadow.
Using Basic auth and just duplicating credentials into .htaccess is just a little bit better than letting Apache read my shadow (I can skip to put root into .htaccess).
I thought that having the same users for Apache and the system was a common problem, so a tested solution should be around (and sarge isn't old nor new). Is there a reason there is no tested solution around?
More information about the Svlug
mailing list