From fe39ffb8b90ae4e002ed73fe98617cd590abb467 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 08:33:50 +0200 Subject: Adding upstream version 2.4.56. Signed-off-by: Daniel Baumann --- docs/manual/mod/mod_auth_digest.html.en | 298 ++++++++++++++++++++++++++++++++ 1 file changed, 298 insertions(+) create mode 100644 docs/manual/mod/mod_auth_digest.html.en (limited to 'docs/manual/mod/mod_auth_digest.html.en') diff --git a/docs/manual/mod/mod_auth_digest.html.en b/docs/manual/mod/mod_auth_digest.html.en new file mode 100644 index 0000000..5e73934 --- /dev/null +++ b/docs/manual/mod/mod_auth_digest.html.en @@ -0,0 +1,298 @@ + + + + + +mod_auth_digest - Apache HTTP Server Version 2.4 + + + + + + + + +
<-
+ +
+

Apache Module mod_auth_digest

+
+

Available Languages:  en  | + fr  | + ko 

+
+ + + +
Description:User authentication using MD5 + Digest Authentication
Status:Extension
Module Identifier:auth_digest_module
Source File:mod_auth_digest.c
+

Summary

+ +

This module implements HTTP Digest Authentication + (RFC2617), and + provides an alternative to mod_auth_basic where the + password is not transmitted as cleartext. However, this does + not lead to a significant security advantage over + basic authentication. On the other hand, the password storage on the + server is much less secure with digest authentication than with + basic authentication. Therefore, using basic auth and encrypting the + whole connection using mod_ssl is a much better + alternative.

+
+ +
top
+
+

Using Digest Authentication

+ +

To use MD5 Digest authentication, configure the location to be + protected as shown in the below example:

+ +

Example:

<Location "/private/">
+    AuthType Digest
+    AuthName "private area"
+    AuthDigestDomain "/private/" "http://mirror.my.dom/private2/"
+    
+    AuthDigestProvider file
+    AuthUserFile "/web/auth/.digest_pw"
+    Require valid-user
+</Location>
+
+ +

AuthDigestDomain + should list the locations that will be protected by this + configuration.

+ +

The password file referenced in the AuthUserFile directive may be + created and managed using the htdigest tool.

+ + +

Note

+

Digest authentication was intended to be more secure than basic + authentication, but no longer fulfills that design goal. A + man-in-the-middle attacker can trivially force the browser to downgrade + to basic authentication. And even a passive eavesdropper can brute-force + the password using today's graphics hardware, because the hashing + algorithm used by digest authentication is too fast. Another problem is + that the storage of the passwords on the server is insecure. The contents + of a stolen htdigest file can be used directly for digest authentication. + Therefore using mod_ssl to encrypt the whole connection is + strongly recommended.

+

mod_auth_digest only works properly on platforms + where APR supports shared memory.

+
+
+
top
+

AuthDigestAlgorithm Directive

+ + + + + + + + +
Description:Selects the algorithm used to calculate the challenge and +response hashes in digest authentication
Syntax:AuthDigestAlgorithm MD5|MD5-sess
Default:AuthDigestAlgorithm MD5
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
+

The AuthDigestAlgorithm directive + selects the algorithm used to calculate the challenge and response + hashes.

+ +
+ MD5-sess is not correctly implemented yet. +
+ + +
+
top
+

AuthDigestDomain Directive

+ + + + + + + +
Description:URIs that are in the same protection space for digest +authentication
Syntax:AuthDigestDomain URI [URI] ...
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
+

The AuthDigestDomain directive allows + you to specify one or more URIs which are in the same protection + space (i.e. use the same realm and username/password info). + The specified URIs are prefixes; the client will assume + that all URIs "below" these are also protected by the same + username/password. The URIs may be either absolute URIs (i.e. + including a scheme, host, port, etc.) or relative URIs.

+ +

This directive should always be specified and + contain at least the (set of) root URI(s) for this space. + Omitting to do so will cause the client to send the + Authorization header for every request sent to this + server.

+ +

The URIs specified can also point to different servers, in + which case clients (which understand this) will then share + username/password info across multiple servers without + prompting the user each time.

+ +
+
top
+

AuthDigestNonceLifetime Directive

+ + + + + + + + +
Description:How long the server nonce is valid
Syntax:AuthDigestNonceLifetime seconds
Default:AuthDigestNonceLifetime 300
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
+

The AuthDigestNonceLifetime directive + controls how long the server nonce is valid. When the client + contacts the server using an expired nonce the server will send + back a 401 with stale=true. If seconds is + greater than 0 then it specifies the amount of time for which the + nonce is valid; this should probably never be set to less than 10 + seconds. If seconds is less than 0 then the nonce never + expires. +

+ +
+
top
+

AuthDigestProvider Directive

+ + + + + + + + +
Description:Sets the authentication provider(s) for this location
Syntax:AuthDigestProvider provider-name +[provider-name] ...
Default:AuthDigestProvider file
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
+

The AuthDigestProvider directive sets + which provider is used to authenticate the users for this location. + The default file provider is implemented + by the mod_authn_file module. Make sure + that the chosen provider module is present in the server.

+ +

See mod_authn_dbm, mod_authn_file, + mod_authn_dbd and mod_authn_socache + for providers.

+ +
+
top
+

AuthDigestQop Directive

+ + + + + + + + +
Description:Determines the quality-of-protection to use in digest +authentication
Syntax:AuthDigestQop none|auth|auth-int [auth|auth-int]
Default:AuthDigestQop auth
Context:directory, .htaccess
Override:AuthConfig
Status:Extension
Module:mod_auth_digest
+

The AuthDigestQop directive determines + the quality-of-protection to use. auth will + only do authentication (username/password); auth-int is + authentication plus integrity checking (an MD5 hash of the entity + is also computed and checked); none will cause the module + to use the old RFC-2069 digest algorithm (which does not include + integrity checking). Both auth and auth-int may + be specified, in which the case the browser will choose which of + these to use. none should only be used if the browser for + some reason does not like the challenge it receives otherwise.

+ +
+ auth-int is not implemented yet. +
+ +
+
top
+

AuthDigestShmemSize Directive

+ + + + + + + +
Description:The amount of shared memory to allocate for keeping track +of clients
Syntax:AuthDigestShmemSize size
Default:AuthDigestShmemSize 1000
Context:server config
Status:Extension
Module:mod_auth_digest
+

The AuthDigestShmemSize directive defines + the amount of shared memory, that will be allocated at the server + startup for keeping track of clients. Note that the shared memory + segment cannot be set less than the space that is necessary for + tracking at least one client. This value is dependent on your + system. If you want to find out the exact value, you may simply + set AuthDigestShmemSize to the value of + 0 and read the error message after trying to start the + server.

+ +

The size is normally expressed in Bytes, but you + may follow the number with a K or an M to + express your value as KBytes or MBytes. For example, the following + directives are all equivalent:

+ +
AuthDigestShmemSize 1048576
+AuthDigestShmemSize 1024K
+AuthDigestShmemSize 1M
+ + +
+
+
+

Available Languages:  en  | + fr  | + ko 

+
top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.
+
+ \ No newline at end of file -- cgit v1.2.3