How can I prevent Apache from exposing a user's password?

Solution 1:

Just in case someone stumble on this question like i did:

In Apache 2.4.5 and later you can use the AuthBasicFake directive to mask the password:

AuthBasicFake toto tata

Results in:


To keep the username:

AuthBasicFake %{REMOTE_USER} tata

results in:


REMOTE_USER is not affected.

Solution 2:

Seems not possible but see
Post #8 suggest to use auto_prepend_file to run a script that unset the variable
It's a workaround not a clean solution but it exist...

Did you try AuthType Digest ?

Solution 3:

Radius is right -- you can't.

After further research I realised that this is basically a text-book scenario for an identity assertion: A trusted identity provider "proves" the user's identity to the client application. The SAML 2.0 specification seems a good fit.

I was hoping to get away without more infrastructure layers, but I'm going to go with simpleSAMLphp[1] for the IDP and mod_mellon[2] for the Apache side. (A day's worth of tinkering and it works.) This doesn't solve the password problem, but moves it to where it can be controlled.

Aside: Sun's OpenSSO is quite beefy but Oracle killed it and the related OpenAM project's future is still not clear.

[1]: simpleSAMLphp

[2]: mod_mellon