Comments on: DTrace: mod_auth_pam and apache2

By: Tim

Tim — Wed, 17 Mar 2010 21:30:48 +0000

It appears that you can use the “broken_shadow” flag with pam_unix.so to have it ignore any errors when trying to open the shadow file.

By: Gleb Reys

Gleb Reys — Sun, 03 May 2009 01:39:22 +0000

Totally agree, Boyd.

For the implementation of the mod_auth_pam I had though, this was the only way.

It’s a rather old post (I migrated my blog today), so things moved on since then – I’ve just read up a bit, and it seems that similar auth modules for Apache 2 now use external password authenticator (pwauth) – definitely a better way.

By: Boyd Adamson

Boyd Adamson — Sun, 03 May 2009 00:26:10 +0000

*Surely* there is a better way to do this than allowing a large, network facing daemon like apache to access /etc/shadow, a file that’s – to say the least – rather sensitive