Digest authentication
Addressing one of the security caveats of basic authentication, digest authentication
provides an alternate method for protecting your web content. However, it to has a few
caveats.
Digest authentication is implemented by the module mod_auth_digest. There is an
older module, mod_digest, which implemented an older version of the digest
authentication specification, but which will probably not work with newer browsers.
Using digest authentication, your password is never sent across the network in the clear,
but is always transmitted as an MD5 digest of the user's password. In this way, the password
cannot be determined by sniffing network traffic.
The full specification of digest authentication can be seen in the internet standards
document RFC 2617, which you can see at http://www1.ics.uci.edu/pub/ietf/http/rfc2617.txt.
Additional information and resources about MD5 can be found at http://userpages.umbc.edu/ mabzug1/cs/md5/md5.html
Configuration: Protecting content with digest authentication
The steps for configuring your server for digest authentication are very similar for those
for basic authentication.
- Create the password file
- Set the configuration to use this password file
- Optionally, create a group file
Creating a password file
As with basic authentication, a simple utility is provided to create and maintain the
password file which will be used to determine whether a particular user's name and password
are valid. This utility is called htdigest, and will be located in the bin
directory of wherever you installed Apache. If you installed Apache from some variety of
package manager, htdigest is likely to have been placed somewhere in your path.
To create a new digest password file, type:
htdigest -c /usr/local/apache/passwd/digest realm username
htdigest will ask you for the desired password, and then ask you to type it again
to confirm it.
Note that the realm for which the authentication will be required is part of the argument
list.
Once again, as with basic authentication, you are encouraged to place the generated file
somewhere outside of the document directory.
And, as with the htpasswd utility, the -c flag creates a new file, or, if
a file of that name already exists, deletes the contents of that file and generates a new file
in its place. Omit the -c flag in order to add new user information to an existing
password file.
Set the configuration to use this password file
Once you have created a password file, you need to tell Apache about it in order to start
using it as a source of authenticated user information. This configuration is done with the
following directives:
| AuthType |
Authentication type being used. In this case,
it will be set to Digest |
| AuthName |
The authentication realm or name |
| AuthDigestFile |
The location of the password file |
| AuthDigestGroupFile |
Location of the group file, if any |
| Require |
The requirement(s) which must be satisfied in
order to grant admission |
These directives may be placed in a .htaccess file in the particular directory
being protected, or may go in the main server configuration file, in a <Directory>
section, or another scope container.
The following example defines an authentication realm called "Private". The
password file located at /usr/local/apache/passwd/digest will be used to verify the
user's identity. Only users named drbacchus or dorfl will be granted access,
if they provide a password that patches the password stored in the password file.
AuthType Digest
AuthName "Private"
AuthDigestFile /usr/local/apache/passwd/digest
Require user drbacchus dorfl
The phrase "Private" will be displayed in the password pop-up box, where the user
will have to type their credentials.
Optionally, create a group file
As you have observed, there are not many differences between this configuration process and
that required by basic authentication, described in the previous section. This is true also of
group functionality. The group file used for digest authentication is exactly the same as that
used for basic authentication. That is to say, lines in the group file consist the name of the
group, a colon, and a list of the members of that group. For example:
admins: jim roy ed anne
Once this file has been created, you can Require that someone be in a particular
group in order to get the requested resource. This is done with the AuthDigestGroupFile
directive, as shown in the following example.
AuthType Digest
AuthName "Private"
AuthDigestFile /usr/local/apache/passwd/digest
AuthDigestGroupFile /usr/local/apache/passwd/digest.groups
Require group admins
The authentication process is the same as that used by basic authentication. It is first
verified that the user is in the required group, and, if this is true, then the password is
verified.
Before you leap into using digest authentication instead of basic authentication, there are
a few things that you should know about.
Most importantly, you need to know that, although digest authentication has this great
advantage that you don't send your password across the network in the clear, it is not
supported by all major browsers in use today, and so you should not use it on a web site on
which you cannot control the browsers that people will be using, such as on your intranet
site. In particular, Opera 4.0 or later, Microsoft Internet Explorer 5.0 or later, Mozilla
1.0.1 and Netscape 7 or later as well as Amaya support digest authentication, while various
other browsers do not.
Next, with regard to security considerations, you should understand two things. Although
your password is not passed in the clear, all of your data is, and so this is a rather small
measure of security. And, although your password is not really sent at all, but a digest form
of it, someone very familiar with the workings of HTTP could use that information - just your
digested password - and use that to gain access to the content, since that digested password
is really all the information required to access the web site.
The moral of this is that if you have content that really needs to be kept secure, use SSL.
|
