Apache Module mod_auth_digest

Available Languages: en | + fr | + ko

+ + + +

Description:	User authentication using MD5 + Digest Authentication
Status:	Extension
Module Identifier:	auth_digest_module
Source File:	mod_auth_digest.c

Summary

+ +

This module implements HTTP Digest Authentication + (RFC2617), and + provides an alternative to mod_auth_basic where the + password is not transmitted as cleartext. However, this does + not lead to a significant security advantage over + basic authentication. On the other hand, the password storage on the + server is much less secure with digest authentication than with + basic authentication. Therefore, using basic auth and encrypting the + whole connection using mod_ssl is a much better + alternative.

Topics

Using Digest Authentication

Bugfix checklist

Using Digest Authentication

+ +

To use MD5 Digest authentication, configure the location to be + protected as shown in the below example:

+ +

Example:

<Location "/private/">
+    AuthType Digest
+    AuthName "private area"
+    AuthDigestDomain "/private/" "http://mirror.my.dom/private2/"
+    
+    AuthDigestProvider file
+    AuthUserFile "/web/auth/.digest_pw"
+    Require valid-user
+</Location>

+ +

AuthDigestDomain + should list the locations that will be protected by this + configuration.

+ +

The password file referenced in the AuthUserFile directive may be + created and managed using the htdigest tool.

+ + +

Note

Digest authentication was intended to be more secure than basic + authentication, but no longer fulfills that design goal. A + man-in-the-middle attacker can trivially force the browser to downgrade + to basic authentication. And even a passive eavesdropper can brute-force + the password using today's graphics hardware, because the hashing + algorithm used by digest authentication is too fast. Another problem is + that the storage of the passwords on the server is insecure. The contents + of a stolen htdigest file can be used directly for digest authentication. + Therefore using mod_ssl to encrypt the whole connection is + strongly recommended.

mod_auth_digest only works properly on platforms + where APR supports shared memory.

AuthDigestAlgorithm Directive

+ + + + + + + + +

Description:	Selects the algorithm used to calculate the challenge and +response hashes in digest authentication
Syntax:	`AuthDigestAlgorithm MD5\|MD5-sess`
Default:	`AuthDigestAlgorithm MD5`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Extension
Module:	mod_auth_digest

The AuthDigestAlgorithm directive + selects the algorithm used to calculate the challenge and response + hashes.

+ +

+ MD5-sess is not correctly implemented yet. +

+ + +

AuthDigestDomain Directive

+ + + + + + + +

Description:	URIs that are in the same protection space for digest +authentication
Syntax:	`AuthDigestDomain URI [URI] ...`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Extension
Module:	mod_auth_digest

The AuthDigestDomain directive allows + you to specify one or more URIs which are in the same protection + space (i.e. use the same realm and username/password info). + The specified URIs are prefixes; the client will assume + that all URIs "below" these are also protected by the same + username/password. The URIs may be either absolute URIs (i.e. + including a scheme, host, port, etc.) or relative URIs.

+ +

This directive should always be specified and + contain at least the (set of) root URI(s) for this space. + Omitting to do so will cause the client to send the + Authorization header for every request sent to this + server.

+ +

The URIs specified can also point to different servers, in + which case clients (which understand this) will then share + username/password info across multiple servers without + prompting the user each time.

+ +

AuthDigestNonceLifetime Directive

+ + + + + + + + +

Description:	How long the server nonce is valid
Syntax:	`AuthDigestNonceLifetime seconds`
Default:	`AuthDigestNonceLifetime 300`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Extension
Module:	mod_auth_digest

The AuthDigestNonceLifetime directive + controls how long the server nonce is valid. When the client + contacts the server using an expired nonce the server will send + back a 401 with stale=true. If seconds is + greater than 0 then it specifies the amount of time for which the + nonce is valid; this should probably never be set to less than 10 + seconds. If seconds is less than 0 then the nonce never + expires. +

+ +

AuthDigestProvider Directive

+ + + + + + + + +

Description:	Sets the authentication provider(s) for this location
Syntax:	`AuthDigestProvider provider-name +[provider-name] ...`
Default:	`AuthDigestProvider file`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Extension
Module:	mod_auth_digest

The AuthDigestProvider directive sets + which provider is used to authenticate the users for this location. + The default file provider is implemented + by the mod_authn_file module. Make sure + that the chosen provider module is present in the server.

+ +

See mod_authn_dbm, mod_authn_file, + mod_authn_dbd and mod_authn_socache + for providers.

+ +

AuthDigestQop Directive

+ + + + + + + + +

Description:	Determines the quality-of-protection to use in digest +authentication
Syntax:	`AuthDigestQop none\|auth\|auth-int [auth\|auth-int]`
Default:	`AuthDigestQop auth`
Context:	directory, .htaccess
Override:	AuthConfig
Status:	Extension
Module:	mod_auth_digest

The AuthDigestQop directive determines + the quality-of-protection to use. auth will + only do authentication (username/password); auth-int is + authentication plus integrity checking (an MD5 hash of the entity + is also computed and checked); none will cause the module + to use the old RFC-2069 digest algorithm (which does not include + integrity checking). Both auth and auth-int may + be specified, in which the case the browser will choose which of + these to use. none should only be used if the browser for + some reason does not like the challenge it receives otherwise.

+ +

+ auth-int is not implemented yet. +

+ +

AuthDigestShmemSize Directive

+ + + + + + + +

Description:	The amount of shared memory to allocate for keeping track +of clients
Syntax:	`AuthDigestShmemSize size`
Default:	`AuthDigestShmemSize 1000`
Context:	server config
Status:	Extension
Module:	mod_auth_digest

The AuthDigestShmemSize directive defines + the amount of shared memory, that will be allocated at the server + startup for keeping track of clients. Note that the shared memory + segment cannot be set less than the space that is necessary for + tracking at least one client. This value is dependent on your + system. If you want to find out the exact value, you may simply + set AuthDigestShmemSize to the value of + 0 and read the error message after trying to start the + server.

+ +

The size is normally expressed in Bytes, but you + may follow the number with a K or an M to + express your value as KBytes or MBytes. For example, the following + directives are all equivalent:

+ +

AuthDigestShmemSize 1048576
+AuthDigestShmemSize 1024K
+AuthDigestShmemSize 1M

+ + +

Apache Module mod_auth_digest

Summary

Topics

Directives

Bugfix checklist

See also

Using Digest Authentication

Example:

Note

AuthDigestAlgorithm Directive

AuthDigestDomain Directive

AuthDigestNonceLifetime Directive

AuthDigestProvider Directive

AuthDigestQop Directive

AuthDigestShmemSize Directive

Comments