[Moin-user] HTTP AUTHENTICATION security

Robert Schumann robert at cantab.net
Wed Feb 15 09:49:09 EST 2006


I have a question regarding the security of HTTP authentication.

Thomas Waldmann wrote:

>> Hi all...I have MoinMoin 1.5.2 setup and need to enable http 
>> authentication. I have made the appropriate changes in the 
>> wikiconfig.py file.
>
> Should read similar to this:
>
> from MoinMoin.auth import http
> auth = [http]
>
>> What other changes do I need to setup? I assume I need to add info 
>> into httpd.conf file to tell Apache what to do.
>
> You need to activate http auth for that URL in Apache, that's all.
>
> Just google for htpasswd or look into apache docs.

To save myself some admin hassle, I'm trying to find a way to use 
existing usernames/passwords on my system for Moin authentication.  I'm 
running a Linux network, so that means I'd like to use /etc/passwd for 
usernames and /etc/shadow for passwords.  There is an Apache module 
called mod_auth_shadow
    http://mod-auth-shadow.sourceforge.net/
which allows HTTP basic authentication based on /etc/shadow, and I was 
hoping to tie this together with Moin's HTTP auth function to achieve my 
goal.

Trouble is, I'm not using SSL.  As far as I can see this means that 
passwords will be transmitted in cleartext from the browser to the 
server, which is a terrible security hole.  Am I correct in this?  And 
is there nothing to be done about this except use SSL?

Thanks,
Robert.




More information about the Moin-user mailing list