mirror of
https://github.com/apache/httpd.git
synced 2025-08-10 02:56:11 +00:00
6881183e84
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874148 13f79535-47bb-0310-9956-ffa450edef68
314 lines
13 KiB
XML
314 lines
13 KiB
XML
<?xml version="1.0"?>
|
|
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
|
|
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
|
|
<!-- $LastChangedRevision$ -->
|
|
|
|
<!--
|
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
|
contributor license agreements. See the NOTICE file distributed with
|
|
this work for additional information regarding copyright ownership.
|
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
|
(the "License"); you may not use this file except in compliance with
|
|
the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
|
|
<modulesynopsis metafile="mod_auth_digest.xml.meta">
|
|
|
|
<name>mod_auth_digest</name>
|
|
<description>User authentication using MD5
|
|
Digest Authentication</description>
|
|
<status>Extension</status>
|
|
<sourcefile>mod_auth_digest.c</sourcefile>
|
|
<identifier>auth_digest_module</identifier>
|
|
|
|
<summary>
|
|
<p>This module implements HTTP Digest Authentication
|
|
(<a href="http://www.faqs.org/rfcs/rfc2617.html">RFC2617</a>), and
|
|
provides an alternative to <module>mod_auth_basic</module> where the
|
|
password is not transmitted as cleartext. However, this does
|
|
<strong>not</strong> lead to a significant security advantage over
|
|
basic authentication. On the other hand, the password storage on the
|
|
server is much less secure with digest authentication than with
|
|
basic authentication. Therefore, using basic auth and encrypting the
|
|
whole connection using <module>mod_ssl</module> is a much better
|
|
alternative.</p>
|
|
</summary>
|
|
|
|
<seealso><directive module="mod_authn_core">AuthName</directive></seealso>
|
|
<seealso><directive module="mod_authn_core">AuthType</directive></seealso>
|
|
<seealso><directive module="mod_authz_core">Require</directive></seealso>
|
|
<seealso><a href="../howto/auth.html">Authentication howto</a></seealso>
|
|
|
|
<section id="using"><title>Using Digest Authentication</title>
|
|
|
|
<p>To use MD5 Digest authentication, configure the location to be
|
|
protected as shown in the below example:</p>
|
|
|
|
<example><title>Example:</title>
|
|
<highlight language="config">
|
|
<Location "/private/">
|
|
AuthType Digest
|
|
AuthName "private area"
|
|
AuthDigestDomain "/private/" "http://mirror.my.dom/private2/"
|
|
|
|
AuthDigestProvider file
|
|
AuthUserFile "/web/auth/.digest_pw"
|
|
Require valid-user
|
|
</Location>
|
|
</highlight>
|
|
</example>
|
|
|
|
<p><directive module="mod_auth_digest">AuthDigestDomain</directive>
|
|
should list the locations that will be protected by this
|
|
configuration.</p>
|
|
|
|
<p>The password file referenced in the <directive
|
|
module="mod_auth_digest">AuthUserFile</directive> directive may be
|
|
created and managed using the <program>htdigest</program> tool.</p>
|
|
|
|
|
|
<note><title>Note</title>
|
|
<p>Digest authentication was intended to be more secure than basic
|
|
authentication, but no longer fulfills that design goal. A
|
|
man-in-the-middle attacker can trivially force the browser to downgrade
|
|
to basic authentication. And even a passive eavesdropper can brute-force
|
|
the password using today's graphics hardware, because the hashing
|
|
algorithm used by digest authentication is too fast. Another problem is
|
|
that the storage of the passwords on the server is insecure. The contents
|
|
of a stolen htdigest file can be used directly for digest authentication.
|
|
Therefore using <module>mod_ssl</module> to encrypt the whole connection is
|
|
strongly recommended.</p>
|
|
<p><module>mod_auth_digest</module> only works properly on platforms
|
|
where APR supports shared memory.</p>
|
|
</note>
|
|
</section>
|
|
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestProvider</name>
|
|
<description>Sets the authentication provider(s) for this location</description>
|
|
<syntax>AuthDigestProvider <var>provider-name</var>
|
|
[<var>provider-name</var>] ...</syntax>
|
|
<default>AuthDigestProvider file</default>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestProvider</directive> directive sets
|
|
which provider is used to authenticate the users for this location.
|
|
The default <code>file</code> provider is implemented
|
|
by the <module>mod_authn_file</module> module. Make sure
|
|
that the chosen provider module is present in the server.</p>
|
|
|
|
<p>See <module>mod_authn_dbm</module>, <module>mod_authn_file</module>,
|
|
<module>mod_authn_dbd</module> and <module>mod_authn_socache</module>
|
|
for providers.</p>
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestQop</name>
|
|
<description>Determines the quality-of-protection to use in digest
|
|
authentication</description>
|
|
<syntax>AuthDigestQop none|auth|auth-int [auth|auth-int]</syntax>
|
|
<default>AuthDigestQop auth</default>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestQop</directive> directive determines
|
|
the <dfn>quality-of-protection</dfn> to use. <code>auth</code> will
|
|
only do authentication (username/password); <code>auth-int</code> is
|
|
authentication plus integrity checking (an MD5 hash of the entity
|
|
is also computed and checked); <code>none</code> will cause the module
|
|
to use the old RFC-2069 digest algorithm (which does not include
|
|
integrity checking). Both <code>auth</code> and <code>auth-int</code> may
|
|
be specified, in which the case the browser will choose which of
|
|
these to use. <code>none</code> should only be used if the browser for
|
|
some reason does not like the challenge it receives otherwise.</p>
|
|
|
|
<note>
|
|
<code>auth-int</code> is not implemented yet.
|
|
</note>
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestNonceLifetime</name>
|
|
<description>How long the server nonce is valid</description>
|
|
<syntax>AuthDigestNonceLifetime <var>seconds</var></syntax>
|
|
<default>AuthDigestNonceLifetime 300</default>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestNonceLifetime</directive> directive
|
|
controls how long the server nonce is valid. When the client
|
|
contacts the server using an expired nonce the server will send
|
|
back a 401 with <code>stale=true</code>. If <var>seconds</var> is
|
|
greater than 0 then it specifies the amount of time for which the
|
|
nonce is valid; this should probably never be set to less than 10
|
|
seconds. If <var>seconds</var> is less than 0 then the nonce never
|
|
expires. <!-- Not implemented yet: If <var>seconds</var> is 0 then
|
|
the nonce may be used exactly once by the client. Note that while
|
|
one-time-nonces provide higher security against replay attacks,
|
|
they also have significant performance implications, as the
|
|
browser cannot pipeline or multiple connections for the
|
|
requests. Because browsers cannot easily detect that
|
|
one-time-nonces are being used, this may lead to browsers trying
|
|
to pipeline requests and receiving 401 responses for all but the
|
|
first request, requiring the browser to resend the requests. Note
|
|
also that the protection against replay attacks only makes sense
|
|
for dynamically generated content and things like POST requests;
|
|
for static content the attacker may already have the complete
|
|
response, so one-time-nonces do not make sense here. -->
|
|
</p>
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestNonceFormat</name>
|
|
<description>Determines how the nonce is generated</description>
|
|
<syntax>AuthDigestNonceFormat <var>format</var></syntax>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<note>Not implemented yet.</note>
|
|
<!-- The AuthDigestNonceFormat directive determines how the nonce is
|
|
generated. -->
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestNcCheck</name>
|
|
<description>Enables or disables checking of the nonce-count sent by the
|
|
server</description>
|
|
<syntax>AuthDigestNcCheck On|Off</syntax>
|
|
<default>AuthDigestNcCheck Off</default>
|
|
<contextlist><context>server config</context></contextlist>
|
|
|
|
<usage>
|
|
<note>
|
|
Not implemented yet.
|
|
</note>
|
|
<!--
|
|
<p>The AuthDigestNcCheck directive enables or disables the checking of the
|
|
nonce-count sent by the server.</p>
|
|
|
|
<p>While recommended from a security standpoint, turning this directive
|
|
On has one important performance implication. To check the nonce-count
|
|
*all* requests (which have an Authorization header, irrespective of
|
|
whether they require digest authentication) must be serialized through
|
|
a critical section. If the server is handling a large number of
|
|
requests which contain the Authorization header then this may noticeably
|
|
impact performance.</p>
|
|
-->
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestAlgorithm</name>
|
|
<description>Selects the algorithm used to calculate the challenge and
|
|
response hashes in digest authentication</description>
|
|
<syntax>AuthDigestAlgorithm MD5|MD5-sess</syntax>
|
|
<default>AuthDigestAlgorithm MD5</default>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestAlgorithm</directive> directive
|
|
selects the algorithm used to calculate the challenge and response
|
|
hashes.</p>
|
|
|
|
<note>
|
|
<code>MD5-sess</code> is not correctly implemented yet.
|
|
</note>
|
|
<!--
|
|
<p>To use <code>MD5-sess</code> you must first code up the
|
|
<code>get_userpw_hash()</code> function in
|
|
<code>mod_auth_digest.c</code>.</p>
|
|
-->
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestDomain</name>
|
|
<description>URIs that are in the same protection space for digest
|
|
authentication</description>
|
|
<syntax>AuthDigestDomain <var>URI</var> [<var>URI</var>] ...</syntax>
|
|
<contextlist><context>directory</context><context>.htaccess</context>
|
|
</contextlist>
|
|
<override>AuthConfig</override>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestDomain</directive> directive allows
|
|
you to specify one or more URIs which are in the same protection
|
|
space (<em>i.e.</em> use the same realm and username/password info).
|
|
The specified URIs are prefixes; the client will assume
|
|
that all URIs "below" these are also protected by the same
|
|
username/password. The URIs may be either absolute URIs (<em>i.e.</em>
|
|
including a scheme, host, port, etc.) or relative URIs.</p>
|
|
|
|
<p>This directive <em>should</em> always be specified and
|
|
contain at least the (set of) root URI(s) for this space.
|
|
Omitting to do so will cause the client to send the
|
|
Authorization header for <em>every request</em> sent to this
|
|
server. Apart from increasing the size of the request, it may
|
|
also have a detrimental effect on performance if <directive
|
|
module="mod_auth_digest">AuthDigestNcCheck</directive> is on.</p>
|
|
|
|
<p>The URIs specified can also point to different servers, in
|
|
which case clients (which understand this) will then share
|
|
username/password info across multiple servers without
|
|
prompting the user each time. </p>
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
<directivesynopsis>
|
|
<name>AuthDigestShmemSize</name>
|
|
<description>The amount of shared memory to allocate for keeping track
|
|
of clients</description>
|
|
<syntax>AuthDigestShmemSize <var>size</var></syntax>
|
|
<default>AuthDigestShmemSize 1000</default>
|
|
<contextlist><context>server config</context></contextlist>
|
|
|
|
<usage>
|
|
<p>The <directive>AuthDigestShmemSize</directive> directive defines
|
|
the amount of shared memory, that will be allocated at the server
|
|
startup for keeping track of clients. Note that the shared memory
|
|
segment cannot be set less than the space that is necessary for
|
|
tracking at least <em>one</em> client. This value is dependent on your
|
|
system. If you want to find out the exact value, you may simply
|
|
set <directive>AuthDigestShmemSize</directive> to the value of
|
|
<code>0</code> and read the error message after trying to start the
|
|
server.</p>
|
|
|
|
<p>The <var>size</var> is normally expressed in Bytes, but you
|
|
may follow the number with a <code>K</code> or an <code>M</code> to
|
|
express your value as KBytes or MBytes. For example, the following
|
|
directives are all equivalent:</p>
|
|
|
|
<highlight language="config">
|
|
AuthDigestShmemSize 1048576
|
|
AuthDigestShmemSize 1024K
|
|
AuthDigestShmemSize 1M
|
|
</highlight>
|
|
</usage>
|
|
</directivesynopsis>
|
|
|
|
</modulesynopsis>
|