Tom Rosso wrote: > You may also consider moving the passwd file out of htdocs. I believe > this is a security hazard. Mine is in /var/www/etc.
Basically it should be anywhere except any web-accessible directory. However, HTTP Basic Authentication is worse than basic FTP. The password and username get sent unencrypted for each request. I see that mod_auth_kerberos is part of the packages available for OpenBSD: http://www.openbsd.org/4.3_packages/i386/mod_auth_kerb-5.3p1.tgz-long.html Would combining that with SSL/TLS be what is most recommended here for serving sensitive data over the web? Regards -Lars
