In mod_ssl there is a very handy option of making an exec callout for
SSLPassPhraseDialog rather than to put a password for your private key
in the conf file. The obvious benefit here is that one can then design a
solution to meet any arbitrary number of security challenges before
allowing that password to be delivered.
One of my TODO patches is to add this same functionality in other
places. The first that comes to mind (and something that has pestered me
in the past) is AuthLDAPBindPassword (mod_authnz_ldap). Would anyone
like to suggest other potential places this should be done before I put
together a bug report and send in a patch?
P.S.
I am opposed to mod_ssl's check that the argument to SSLPassPhraseDialog
exec:blah is a file. This prevents calling an arbitrary executable with
parameters. Thoughts?
--
--
Daniel Ruggeri
- Removing passwords from the conf file Daniel Ruggeri
-
