httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Removing passwords from the conf file
Date Sat, 20 Nov 2010 22:05:21 GMT
In mod_ssl there is a very handy option of making an exec callout for 
SSLPassPhraseDialog rather than to put a password for your private key 
in the conf file. The obvious benefit here is that one can then design a 
solution to meet any arbitrary number of security challenges before 
allowing that password to be delivered.

One of my TODO patches is to add this same functionality in other 
places. The first that comes to mind (and something that has pestered me 
in the past) is AuthLDAPBindPassword (mod_authnz_ldap). Would anyone 
like to suggest other potential places this should be done before I put 
together a bug report and send in a patch?

I am opposed to mod_ssl's check that the argument to SSLPassPhraseDialog 
exec:blah is a file. This prevents calling an arbitrary executable with 
parameters. Thoughts?

Daniel Ruggeri

View raw message