[Swan] UPDATE Re: Authentication with pam_url and nonces

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Tue Feb 8 16:17:36 EET 2022

SSLVerifyClient did not exactly work out of the box on our apache2 
server, and I don't have
liberty to experiment with it ...

pam_url with HMAC-SHA-2 just works, and I believe it has sound logic: 
HMAC-SHA-256 protected the
URL POST fields from tampering in the man-in-the-middle attacks and the 
script return code.

However, brute forcing CGI PHP script presents a problem, and mTLS still 
seems like a way to do it, if only
I could make it work for me.


On 2/7/2022 7:51 PM, Paul Wouters wrote:
> If you feel the pam TLS calls needs more than server side cert verification, you should look into client authentication, eg mTLS. Don’t invent your own crypto.
> Paul

Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list