i've got a working implementation of http basic authentication using
the bsd authentication facilities:

http://www.25thandClement.com/~willi...s/bsdauth.html

login_bsd is the shell command which interfaces w/ the high-level
auth_*(3) c api.

one feature mod_auth_bsd has which i haven't seen elsewhere is deleting the
password so that the scripts don't see it. i didn't like a user's password
being passed around willy-nilly after the user was already authenticated.

i plan to have login_bsd track bad login attempts and sleep for awhile,
to mediate brute-force or dictionary attacks.

login_bsd should be setgid auth. tho until the above feature is implemented,
you might as well put apache into the auth group.

fwiw, the apache docs warn not to alter the headers_in structure, which is
where i remove the user's password after authentication by re-writing the
"Authorization" header. i'm looking for some confirmation about the efficacy
of modifying the headers_in struct from people w/ more experience w/ apache.

hmmmm, also login_bsd only does the login service protocol. implementing
challenge, at least from the mod_auth_bsd perspective, sounds like an
entirely new effort in itself.

also, don't forget to "SSLRequireSSL" in httpd.conf when you "AuthBSD On".
i should add a feature to fail w/o ssl in the absence of an explicit
command to do otherwise.

- Bill