[Moin-user] HTTP AUTHENTICATION security
robert at cantab.net
Wed Feb 15 09:49:09 EST 2006
I have a question regarding the security of HTTP authentication.
Thomas Waldmann wrote:
>> Hi all...I have MoinMoin 1.5.2 setup and need to enable http
>> authentication. I have made the appropriate changes in the
>> wikiconfig.py file.
> Should read similar to this:
> from MoinMoin.auth import http
> auth = [http]
>> What other changes do I need to setup? I assume I need to add info
>> into httpd.conf file to tell Apache what to do.
> You need to activate http auth for that URL in Apache, that's all.
> Just google for htpasswd or look into apache docs.
To save myself some admin hassle, I'm trying to find a way to use
existing usernames/passwords on my system for Moin authentication. I'm
running a Linux network, so that means I'd like to use /etc/passwd for
usernames and /etc/shadow for passwords. There is an Apache module
which allows HTTP basic authentication based on /etc/shadow, and I was
hoping to tie this together with Moin's HTTP auth function to achieve my
Trouble is, I'm not using SSL. As far as I can see this means that
passwords will be transmitted in cleartext from the browser to the
server, which is a terrible security hole. Am I correct in this? And
is there nothing to be done about this except use SSL?
More information about the Moin-user