From 731257c29b33a73c91a4c10c5510f3f63a7407eb Mon Sep 17 00:00:00 2001 From: Ronald Tschalar Date: Sun, 8 Aug 1999 22:37:15 +0000 Subject: [PATCH] changes for new modules/experimental/mod_auth_digest git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@83612 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/index.html | 2 + docs/manual/mod/mod_auth_digest.html | 416 +++++++++++++++++++++++++++ 2 files changed, 418 insertions(+) create mode 100644 docs/manual/mod/mod_auth_digest.html diff --git a/docs/manual/mod/index.html b/docs/manual/mod/index.html index 4da36552fe..cb344fd670 100644 --- a/docs/manual/mod/index.html +++ b/docs/manual/mod/index.html @@ -42,6 +42,8 @@ Apache distribution. See also the complete alphabetical list of

User authentication using Berkeley DB files.

User authentication using DBM files. +

mod_auth_digest +

MD5 authentication (experimental)

mod_autoindex

Automatic directory listings.

mod_browser Apache 1.2.* only diff --git a/docs/manual/mod/mod_auth_digest.html b/docs/manual/mod/mod_auth_digest.html new file mode 100644 index 0000000000..35c7f0628e --- /dev/null +++ b/docs/manual/mod/mod_auth_digest.html @@ -0,0 +1,416 @@ + + + +Apache module mod_auth_digest + + + + + +

Module mod_auth_digest

+ +This module is contained in the mod_auth_digest.c file, and is +not compiled in by default. It is only available in Apache 1.3.8 and +later. It provides for user authentication using MD5 Digest +Authentication. + +

Note this is an updated version of mod_digest. However, it has not been +extensively tested and is therefore marked experimental. If you use this +module, you must make sure to not use mod_digest (because they +share some of the same configuration directives). + + +

AuthDigestFile +

AuthDigestGroupFile +

AuthDigestQop +

AuthDigestNonceLifetime +

AuthDigestNonceFormat +

AuthDigestNcCheck +

AuthDigestAlgorithm +

AuthDigestDomain +

Using Digest Authentication +

+ + +

AuthDigestFile

+Syntax: AuthDigestFile filename
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+ +

The AuthDigestFile directive sets the name of a textual file containing +the list of users and encoded passwords for digest authentication. +Filename is the absolute path to the user file. + +

The digest file uses a special format. Files in this format can be +created using the "htdigest" utility found in the support/ subdirectory of +the Apache distribution. + +

+ +

AuthDigestGroupFile

+Syntax: AuthDigestGroupFile filename
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

The AuthDigestGroupFile directive sets the name of a textual file +containing the list of groups and their members (user names). +Filename is the absolute path to the group file. + +

Each line of the group file contains a groupname followed by a colon, +followed by the member usernames separated by spaces. Example: +

mygroup: bob joe anne

+Note that searching large text files is very inefficient. + +

Security: make sure that the AuthGroupFile is stored outside the +document tree of the web-server; do not put it in the directory +that it protects. Otherwise, clients will be able to download the +AuthGroupFile. + +

+ +

AuthDigestQop

+Syntax: AuthDigestQop none | 1*{ auth | auth-int }
+Default: AuthDigestQop auth
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

The AuthDigestQop directive determines the quality-of-protection to use. +auth will only do authentication (username/password); +auth-int is authentication plus integrity checking (an MD5 hash +of the entity is also computed and checked); none will cause the +module to use the old RFC-2069 digest algorithm (which does not include +integrity checking). Both auth and auth-int may be +specified, in which the case the browser will choose which of these to +use. none should only be used if the browser for some reason +does not like the challenge it receives otherwise. + +

auth-int is not implemented yet. + +

+ +

AuthDigestNonceLifetime

+Syntax: AuthDigestNonceLifetime <time>
+Default: AuthDigestNonceLifetime 300
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

The AuthDigestNonceLifetime directive controls how long the server +nonce is valid. When the client contacts the server using an expired +nonce the server will send back a 401 with stale=true. If +<time> is greater than 0 then it specifies the number of +seconds the nonce is valid; this should probably never be set to less +than 10 seconds. If <time> is less than 0 then the nonce +never expires. + + + +

AuthDigestNonceFormat

+Syntax: AuthDigestNonceFormat ???
+Default: AuthDigestNonceFormat ???
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

Not implemented yet. + + +

AuthDigestNcCheck

+Syntax: AuthDigestNcCheck On/Off
+Default: AuthDigestNcCheck Off
+Context: server config
+Override: Not applicable
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

Not implemented yet. + + +

AuthDigestAlgorithm

+Syntax: AuthDigestAlgorithm MD5 | MD5-sess
+Default: AuthDigestAlgorithm MD5
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

The AuthDigestAlgorithm directive selects the algorithm used to calculate +the challenge and response hashes. + +

MD5-sess is not correctly implemented yet. + + +

AuthDigestDomain

+Syntax: AuthDigestDomain URI URI ...
+Context: directory, .htaccess
+Override: AuthConfig
+Status: Base
+Module: mod_auth_digest
+Compatibility: Available in Apache 1.3.8 and later + +

The AuthDigestDomain directive allows you to specify one or more URIs +which are in the same protection space (i.e. use the same realm and +username/password info). The specified URIs are prefixes, i.e. the client +will assume that all URIs "below" these are also protected by the same +username/password. The URIs may be either absolute URIs (i.e. inluding a +scheme, host, port, etc) or relative URIs. + +

This directive should always be specified and contain at least +the (set of) root URI(s) for this space. Omiting to do so will cause the +client to send the Authorization header for every request sent to +this server. Apart from increasing the size of the request, it may also +have a detrimental effect on performance if "AuthDigestNcCheck" is on. + +

The URIs specified can also point to different servers, in which case +clients (which understand this) will then share username/password info +across multiple servers without prompting the user each time. + + +

+ +

Using Digest Authentication

+ +

Using MD5 Digest authentication is very simple. Simply set up +authentication normally, using "AuthType Digest" and "AuthDigestFile" +instead of the normal "AuthType Basic" and "AuthUserFile"; also, +replace any "AuthGroupFile" with "AuthDigestGroupFile". Then add a +"AuthDigestDomain" directive containing at least the root URI(s) for +this protection space. Example: + +

+  <Location /private/>
+  AuthType Digest
+  AuthName "private area"
+  AuthDigestDomain /private/ http://mirror.my.dom/private2/
+  AuthDigestFile /web/auth/.digest_pw
+  require valid-user
+  </Location>
+

+ +

Note: MD5 authentication provides a more secure +password system than Basic authentication, but only works with supporting +browsers. As of this writing (July 1999), the only major browsers which +support digest authentication are Internet Exploder 5.0 and +Amaya. Therefore, we do not +recommend using this feature on a large Internet site. However, for +personal and intra-net use, where browser users can be controlled, it is +ideal. + + + + + -- 2.40.0