|
Basic authentication and digest authentication both suffer from the same major flaw. They
use text files to store the authentication information. The problem with this is that looking
something up in a text file is very slow. It's rather like trying to find something in a book
that has no index. You have to start at the beginning, and work through it one page at a time
until you find what you are looking for. Now imagine that the next time you need to find the
same thing, you don't remember where it was before, so you have to start at the beginning
again, and work through one page at a time until you find it again. And the next time. And the
time after that.
Since HTTP is stateless, authentication has to be verified every time that content is
requested. And so every time a document is accessed which is secured with basic or digest
authentication, Apache has to open up those text password files and look through them one line
at a time, until it finds the user that is trying to log in, and verifies their password. In
the worst case, if the username supplied is not in there at all, every line in the file will
need to be checked. On average, half of the file will need to be read before the user is
found. This is very slow.
While this is not a big problem for small sets of users, when you get into larger numbers
of users (where "larger" means a few hundred) this becomes prohibitively slow. In
many cases, in fact, valid username/password combinations will get rejected because the
authentication module just had to spend so much time looking for the username in the file that
Apache will just get tired of waiting and return a failed authentication.
In these cases, you need an alternative, and that alternative is to use some variety of
database. Databases are optimized for looking for a particular piece of information in a very
large data set. It builds indexes in order to rapidly locate a particular record, and they
have query languages for swiftly locating records that match particular criteria.
There are numerous modules available for Apache to authenticate using a variety of
different databases. In this section, we'll just look at two modules which ship with Apache.
mod_auth_db and mod_auth_dbm
mod_auth_db and mod_auth_dbm are modules which lets you keep your
usernames and passwords in DB or DBM files. There are few practical differences between DB
files and DBM files. And, on some operating systems, such as various BSDs, and Linux, they are
exactly the same thing. You should pick whichever of the two modules makes the most sense on
your particular platform of choice. If you do not have DB support on your platform, you may
need to install it. You download an implementation of DB at http://www.sleepycat.com/.
Berkeley DB files
DB files, also known as Berkeley database files, are the simplest form of database, and are
rather ideally suited for the sort of data that needs to be stored for HTTP authentication. DB
files store key/value pairs. That is, the name of a variable, and the value of that variable.
While other databases allow the storage of many fields in a given record, a DB file allows
only this pairing of key and value.1 This
is ideal for authentication, which requires only the pair of a username and password.
For the purposes of this tutorial, we'll talk about installing and configuring mod_auth_db.
However, everything that is said here can be directly applied to mod_auth_dbm by
simply replacing 'db' with 'dbm' and 'DB' with 'DBM' in the various commands, file names, and
directives.
Since mod_auth_db is not compiled in by default, you will need to rebuild Apache
in order to get the functionality, unless you built in everything when we started. Note that
if you installed Apache with shared object support, you may be able to just build the module
and load it in to Apache.
To build Apache from scratch with mod_auth_db built in, use the following ./configure
line in your apache source code directory.
./configure --enable-module=auth_db
Or, if you had a more complex configure command line, you can just add the -enable-module=auth_db
option to that command line, and you'll get mod_auth_db built into your server.
Once you have compiled the mod_auth_db module, and loaded it into your web server,
you'll find that there's very little difference between using regular authentication and using
mod_auth_db authentication. The procedure is the same as that we went through with
basic and digest authentication:
- Create the user file.
- Configure Apache to use that file for authentication.
- Optionally, create a group file.
Create the user file
The user file for authentication is, this time, not a flat text file, but is a DB file2. Fortunately, once again, Apache provides
us with a simple utility for the purpose of managing this user file. This time, the utility is
called dbmmanage, and will be located in the bin subdirectory of wherever
you installed Apache.
dbmmanage is somewhat more complicated to use than htpasswd or htdigest,
but it is still fairly simple. The syntax which you will usually be using is as follows:
dbmmanage passwords.dat adduser montressor
As with htpasswd, you will at this point be prompted for a password, and then
asked to confirm that password by typing it again. The main difference here is that rather
than a text file being created, you are creating a binary file containing the information that
you have supplied.
Type dbmmanage with no arguments to get the full list of options available with
this utility.
Note that, if you are so inclined, you can manage your user file with Perl, or any other
language which has a DB-file module, for interfacing with this type of database. This covers a
number of popular programming languages.
The following Perl code, for example, will add a user 'rbowen', with password 'mypassword',
to your password file:
use DB_File;
tie %database, 'DB_File', "passwords.dat"
or die "Can't initialize database: $!\n";
$username = 'rbowen';
$password = 'mypassword';
@chars=(0..9,'a'..'z');
$salt = $chars[int rand @chars] . $chars[int rand @chars];
$crypt = crypt($password, $salt);
$database{$username} = $crypt;
untie %database;
As you can imagine, this makes it very simple to write tools to manage the user and
password information stored in these files.
Passwords are stored in Unix crypt format, just as they were in the
"regular" password files. The 'salt' that is created in the middle there is part of
the process, generating a random starting point for that encryption. The technique being used
is called a 'tied hash'. The idea is to tie a built-in data structure to the contents of the
file, such that when the data structure is changed, the file is automatically modified at the
same time.
Configuring Apache to use this password file
Once you have created the password file, you need to tell Apache about it, and tell Apache
to use this file to verify user credentials. This configuration will look almost the same as
that for basic authentication. This configuration can go in a .htaccess file in the
directory to be protected, or can go in the main server configuration, in a <Directory>
section, or other scope container directive.
The configuration will look something like the following:
AuthName "Members Only"
AuthType Basic
AuthDBUserFile /usr/local/apache/passwd/passwords.dat
require user rbowen
Now, users accessing the directory will be required to authenticate against the list of
valid users who are in /usr/local/apache/passwd/passwords.dat.
Optionally, create a group file
As mentioned earlier, DB files store a key/value pair. In the case of group files, the key
is the name of the user, and the value is a comma-separated list of the groups to which the
user belongs.
While this is the opposite of the way that group files are stored elsewhere, note that we
will primarily be looking up records based on the username, so it is more efficient to index
the file by username, rather than by the group name.
Groups can be added to your group file using dbmmanage and the add
command:
dbmmanage add groupfile rbowen one,two,three
In the above example, groupfile is the literal name of the group file, rbowen
is the user being added, and one, two, and three are names of three
groups to which this user belongs.
Once you have your groups in the file, you can require a group in the regular way:
AuthName "Members Only"
AuthType Basic
AuthDBUserFile /usr/local/apache/passwd/passwords.dat
AuthDBGroupFile /usr/local/apache/passwd/groups.dat
require group three
Note that if you want to use the same file for both password and group information, you can
do so, but this is a little more complicated to manage, as you have to encrypt the password
yourself before you feed it to the dbmmanage utility.
|
