From owner-freebsd-security  Fri Jul 12 16:48: 4 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A8CDC37B40F
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Jul 2002 16:47:55 -0700 (PDT)
Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A3FF843E7B
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 Jul 2002 16:47:52 -0700 (PDT)
	(envelope-from dmp@pantherdragon.org)
Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-236-062.evrtwa1.dsl-verizon.net [4.61.236.62])
	by spork.pantherdragon.org (Postfix) with ESMTP
	id 4A529471DC; Fri, 12 Jul 2002 16:47:51 -0700 (PDT)
Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2])
	by sparx.pantherdragon.org (Postfix) with ESMTP
	id 4D512FDA0; Fri, 12 Jul 2002 16:47:50 -0700 (PDT)
Message-ID: <3D2F6AA6.5CF214CB@pantherdragon.org>
Date: Fri, 12 Jul 2002 16:47:50 -0700
From: Darren Pilgrim <dmp@pantherdragon.org>
X-Mailer: Mozilla 4.76 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Nielsen <nielsen@memberwebs.com>
Cc: freebsd-security@FreeBSD.ORG, Steve <sprasadi@addr.com>
Subject: Re: plain text passwords
References: <5.1.0.14.0.20020712114822.00ba8a20@localhost> <20020712231747.6EFBB43B396@mail.npubs.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Nielsen wrote:
> 
> You should use an authentication module that uses hashed passwords.
> 
> And secondly you usually shouldn't authenticate against the system
> passwords. But if you have to, try to find a solution that doesn't give the
> the apache user (www, or nobody or whatever) read access to your shaddow
> passwords.
> 
> One thing I used which worked well was the cyrus-sasl pwcheck daemon. Apache
> has a module which authenticates against it. The pwcheck daemon runs as
> root, relieving apache of the above need.

Does pwcheck use PAM on FreeBSD?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message