With CGIs, mod_auth_kerb uses the basic authentication response password to obtain a TGT. The password itself is not exposed to the CGI. Great.
With PHP scripts, PHP provides the basic auth challenge, sets PHP_AUTH_USER and _PW, and mod_auth_kerb gets a TGT. The problem is that PHP_AUTH_PW is passed to the PHP scripts and I don't want developers to be able to see users' passwords.
So, is there a way to suppress the setting of PHP_AUTH_PW? I want PHP scripts get a trustworthy PHP_AUTH_USER and a krb TGT without leaking passwords.
Thanks,
Reece
-- Reece Hart, http://harts.net/reece/, GPG:0x25EC91A0 |
