From: Ronald Tschalar Date: Sun, 8 Aug 1999 22:37:15 +0000 (+0000) Subject: changes for new modules/experimental/mod_auth_digest X-Git-Tag: 1.3.8~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=731257c29b33a73c91a4c10c5510f3f63a7407eb;p=apache changes for new modules/experimental/mod_auth_digest git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@83612 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/index.html b/docs/manual/mod/index.html index 4da36552fe..cb344fd670 100644 --- a/docs/manual/mod/index.html +++ b/docs/manual/mod/index.html @@ -42,6 +42,8 @@ Apache distribution. See also the complete alphabetical list of
User authentication using Berkeley DB files.
mod_auth_dbm
User authentication using DBM files. +
mod_auth_digest +
MD5 authentication (experimental)
mod_autoindex
Automatic directory listings.
mod_browser Apache 1.2.* only diff --git a/docs/manual/mod/mod_auth_digest.html b/docs/manual/mod/mod_auth_digest.html new file mode 100644 index 0000000000..35c7f0628e --- /dev/null +++ b/docs/manual/mod/mod_auth_digest.html @@ -0,0 +1,416 @@ + + + +Apache module mod_auth_digest + + + + + +

Module mod_auth_digest

+ +This module is contained in the mod_auth_digest.c file, and is +not compiled in by default. It is only available in Apache 1.3.8 and +later. It provides for user authentication using MD5 Digest +Authentication. + +

Note this is an updated version of mod_digest. However, it has not been +extensively tested and is therefore marked experimental. If you use this +module, you must make sure to not use mod_digest (because they +share some of the same configuration directives). + + +

+
  • AuthDigestFile +
  • AuthDigestGroupFile +
  • AuthDigestQop +
  • AuthDigestNonceLifetime +
  • AuthDigestNonceFormat +
  • AuthDigestNcCheck +
  • AuthDigestAlgorithm +
  • AuthDigestDomain +
  • Using Digest Authentication +
  • +
    + + +

    AuthDigestFile

    +Syntax: AuthDigestFile filename
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    + +

    The AuthDigestFile directive sets the name of a textual file containing +the list of users and encoded passwords for digest authentication. +Filename is the absolute path to the user file. + +

    The digest file uses a special format. Files in this format can be +created using the "htdigest" utility found in the support/ subdirectory of +the Apache distribution. + +


    + +

    AuthDigestGroupFile

    +Syntax: AuthDigestGroupFile filename
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    The AuthDigestGroupFile directive sets the name of a textual file +containing the list of groups and their members (user names). +Filename is the absolute path to the group file. + +

    Each line of the group file contains a groupname followed by a colon, +followed by the member usernames separated by spaces. Example: +

    mygroup: bob joe anne
    +Note that searching large text files is very inefficient. + +

    Security: make sure that the AuthGroupFile is stored outside the +document tree of the web-server; do not put it in the directory +that it protects. Otherwise, clients will be able to download the +AuthGroupFile. + +


    + +

    AuthDigestQop

    +Syntax: AuthDigestQop none | 1*{ auth | auth-int }
    +Default: AuthDigestQop auth
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    The AuthDigestQop directive determines the quality-of-protection to use. +auth will only do authentication (username/password); +auth-int is authentication plus integrity checking (an MD5 hash +of the entity is also computed and checked); none will cause the +module to use the old RFC-2069 digest algorithm (which does not include +integrity checking). Both auth and auth-int may be +specified, in which the case the browser will choose which of these to +use. none should only be used if the browser for some reason +does not like the challenge it receives otherwise. + +

    auth-int is not implemented yet. + +


    + +

    AuthDigestNonceLifetime

    +Syntax: AuthDigestNonceLifetime <time>
    +Default: AuthDigestNonceLifetime 300
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    The AuthDigestNonceLifetime directive controls how long the server +nonce is valid. When the client contacts the server using an expired +nonce the server will send back a 401 with stale=true. If +<time> is greater than 0 then it specifies the number of +seconds the nonce is valid; this should probably never be set to less +than 10 seconds. If <time> is less than 0 then the nonce +never expires. + + + +


    +

    AuthDigestNonceFormat

    +Syntax: AuthDigestNonceFormat ???
    +Default: AuthDigestNonceFormat ???
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    Not implemented yet. + + +


    +

    AuthDigestNcCheck

    +Syntax: AuthDigestNcCheck On/Off
    +Default: AuthDigestNcCheck Off
    +Context: server config
    +Override: Not applicable
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    Not implemented yet. + + +


    +

    AuthDigestAlgorithm

    +Syntax: AuthDigestAlgorithm MD5 | MD5-sess
    +Default: AuthDigestAlgorithm MD5
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    The AuthDigestAlgorithm directive selects the algorithm used to calculate +the challenge and response hashes. + +

    MD5-sess is not correctly implemented yet. + + +


    +

    AuthDigestDomain

    +Syntax: AuthDigestDomain URI URI ...
    +Context: directory, .htaccess
    +Override: AuthConfig
    +Status: Base
    +Module: mod_auth_digest
    +Compatibility: Available in Apache 1.3.8 and later + +

    The AuthDigestDomain directive allows you to specify one or more URIs +which are in the same protection space (i.e. use the same realm and +username/password info). The specified URIs are prefixes, i.e. the client +will assume that all URIs "below" these are also protected by the same +username/password. The URIs may be either absolute URIs (i.e. inluding a +scheme, host, port, etc) or relative URIs. + +

    This directive should always be specified and contain at least +the (set of) root URI(s) for this space. Omiting to do so will cause the +client to send the Authorization header for every request sent to +this server. Apart from increasing the size of the request, it may also +have a detrimental effect on performance if "AuthDigestNcCheck" is on. + +

    The URIs specified can also point to different servers, in which case +clients (which understand this) will then share username/password info +across multiple servers without prompting the user each time. + + +


    + +

    Using Digest Authentication

    + +

    Using MD5 Digest authentication is very simple. Simply set up +authentication normally, using "AuthType Digest" and "AuthDigestFile" +instead of the normal "AuthType Basic" and "AuthUserFile"; also, +replace any "AuthGroupFile" with "AuthDigestGroupFile". Then add a +"AuthDigestDomain" directive containing at least the root URI(s) for +this protection space. Example: + +

    +  <Location /private/>
    +  AuthType Digest
    +  AuthName "private area"
    +  AuthDigestDomain /private/ http://mirror.my.dom/private2/
    +  AuthDigestFile /web/auth/.digest_pw
    +  require valid-user
    +  </Location>
    +
    + +

    Note: MD5 authentication provides a more secure +password system than Basic authentication, but only works with supporting +browsers. As of this writing (July 1999), the only major browsers which +support digest authentication are Internet Exploder 5.0 and +Amaya. Therefore, we do not +recommend using this feature on a large Internet site. However, for +personal and intra-net use, where browser users can be controlled, it is +ideal. + + + + +