diff options
Diffstat (limited to 'docs/manual/mod/mod_auth_digest.html')
-rw-r--r-- | docs/manual/mod/mod_auth_digest.html | 412 |
1 files changed, 0 insertions, 412 deletions
diff --git a/docs/manual/mod/mod_auth_digest.html b/docs/manual/mod/mod_auth_digest.html deleted file mode 100644 index 5cda2a778b..0000000000 --- a/docs/manual/mod/mod_auth_digest.html +++ /dev/null @@ -1,412 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> -<HTML> -<HEAD> -<TITLE>Apache module mod_auth_digest</TITLE> -</HEAD> - -<!-- Background white, links blue (unvisited), navy (visited), red (active) --> -<BODY - BGCOLOR="#FFFFFF" - TEXT="#000000" - LINK="#0000FF" - VLINK="#000080" - ALINK="#FF0000" -> -<!--#include virtual="header.html" --> -<H1 ALIGN="CENTER">Module mod_auth_digest</H1> - -<p>This module provides for user authentication using MD5 Digest -Authentication.</p> - -<P><A -HREF="module-dict.html#Status" -REL="Help" -><STRONG>Status:</STRONG></A> Experimental -<BR> -<A -HREF="module-dict.html#SourceFile" -REL="Help" -><STRONG>Source File:</STRONG></A> mod_auth_digest.c -<BR> -<A -HREF="module-dict.html#ModuleIdentifier" -REL="Help" -><STRONG>Module Identifier:</STRONG></A> digest_auth_module -</P> - -<h2>Summary</h2> - -<P>This is an updated version of <A -HREF="mod_digest.html">mod_digest</A>. However, it has not been -extensively tested and is therefore marked experimental. If you use -this module, you must make sure to <em>not</em> use mod_digest -(because they share some of the same configuration directives). - -<h2>Directives</h2> - -<ul> -<LI><A HREF="#authdigestfile">AuthDigestFile</A> -<LI><A HREF="#authdigestgroupfile">AuthDigestGroupFile</A> -<LI><A HREF="#authdigestqop">AuthDigestQop</A> -<LI><A HREF="#authdigestnoncelifetime">AuthDigestNonceLifetime</A> -<LI><A HREF="#authdigestnonceformat">AuthDigestNonceFormat</A> -<LI><A HREF="#authdigestnccheck">AuthDigestNcCheck</A> -<LI><A HREF="#authdigestalgorithm">AuthDigestAlgorithm</A> -<LI><A HREF="#authdigestdomain">AuthDigestDomain</A> -</ul> - -<p>See also: <a href="core.html#require">Require</a> and -<a href="core.html#satisfy">Satisfy</a>. - -<H3><A NAME="usingdigest">Using Digest Authentication</A></H3> - -<P>Using MD5 Digest authentication is very simple. Simply set up -authentication normally, using "AuthType Digest" and "AuthDigestFile" -instead of the normal "AuthType Basic" and "AuthUserFile"; also, -replace any "AuthGroupFile" with "AuthDigestGroupFile". Then add a -"AuthDigestDomain" directive containing at least the root URI(s) for -this protection space. Example: - -<PRE> - <Location /private/> - AuthType Digest - AuthName "private area" - AuthDigestDomain /private/ http://mirror.my.dom/private2/ - AuthDigestFile /web/auth/.digest_pw - Require valid-user - </Location> -</PRE> - -<P><strong>Note:</strong> MD5 authentication provides a more secure -password system than Basic authentication, but only works with supporting -browsers. As of this writing (July 1999), the only major browsers which -support digest authentication are <A -HREF="http://www.microsoft.com/windows/ie/">Internet Explorer 5.0</A> and -<A HREF="http://www.w3.org/Amaya/">Amaya</A>. Therefore, we do not -recommend using this feature on a large Internet site. However, for -personal and intra-net use, where browser users can be controlled, it is -ideal. - - -<HR> - - - - -<H2><A NAME="authdigestfile">AuthDigestFile</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestFile <EM>filename</EM><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest<BR> - -<P>The AuthDigestFile directive sets the name of a textual file containing -the list of users and encoded passwords for digest authentication. -<EM>Filename</EM> is the absolute path to the user file. - -<P>The digest file uses a special format. Files in this format can be -created using the <a href="../programs/htdigest.html">htdigest</a> -utility found in the support/ subdirectory of the Apache distribution. - -<HR> - -<H2><A NAME="authdigestgroupfile">AuthDigestGroupFile</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestGroupFile <EM>filename</EM><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P>The AuthDigestGroupFile directive sets the name of a textual file -containing the list of groups and their members (user names). -<EM>Filename</EM> is the absolute path to the group file. - -<P>Each line of the group file contains a groupname followed by a colon, -followed by the member usernames separated by spaces. Example: -<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE> -Note that searching large text files is <EM>very</EM> inefficient. - -<P>Security: make sure that the AuthGroupFile is stored outside the -document tree of the web-server; do <EM>not</EM> put it in the directory -that it protects. Otherwise, clients will be able to download the -AuthGroupFile. - -<HR> - -<H2><A NAME="authdigestqop">AuthDigestQop</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestQop none|auth|auth-int -[auth|auth-int]<BR> -<A - HREF="directive-dict.html#Default" - REL="Help" -><STRONG>Default:</STRONG></A> <CODE>AuthDigestQop auth</CODE><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P>The AuthDigestQop directive determines the quality-of-protection to use. -<EM>auth</EM> will only do authentication (username/password); -<EM>auth-int</EM> is authentication plus integrity checking (an MD5 hash -of the entity is also computed and checked); <EM>none</EM> will cause the -module to use the old RFC-2069 digest algorithm (which does not include -integrity checking). Both <EM>auth</em> and <EM>auth-int</EM> may be -specified, in which the case the browser will choose which of these to -use. <EM>none</EM> should only be used if the browser for some reason -does not like the challenge it receives otherwise. - -<P><STRONG><EM>auth-int</EM> is not implemented yet</STRONG>. - -<HR> - -<H2><A NAME="authdigestnoncelifetime">AuthDigestNonceLifetime</A> -directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestNonceLifetime <EM>seconds</EM><BR> -<A - HREF="directive-dict.html#Default" - REL="Help" -><STRONG>Default:</STRONG></A> <CODE>AuthDigestNonceLifetime 300</CODE><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P>The AuthDigestNonceLifetime directive controls how long the server -nonce is valid. When the client contacts the server using an expired -nonce the server will send back a 401 with <code>stale=true</code>. If -<EM>seconds</EM> is greater than 0 then it specifies the amount of -time for which the nonce is valid; this should probably never be set -to less than 10 seconds. If <EM>seconds</EM> is less than 0 then -the nonce never expires. - -<!-- Not implemented yet -If <EM>seconds</EM> is 0 then the nonce may be used exactly once -by the client. Note that while one-time-nonces provide higher security -against replay attacks, they also have significant performance -implications, as the browser cannot pipeline or multiple connections -for the requests. Because browsers cannot easily detect that -one-time-nonces are being used, this may lead to browsers trying to -pipeline requests and receiving 401 responses for all but the first -request, requiring the browser to resend the requests. Note also that -the protection against reply attacks only makes sense for dynamically -generated content and things like POST requests; for static content -the attacker may already have the complete response, so one-time-nonces -do not make sense here. ---> - -<HR> -<H2><A NAME="authdigestnonceformat">AuthDigestNonceFormat</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestNonceFormat <EM>???</EM><BR> -<A - HREF="directive-dict.html#Default" - REL="Help" -><STRONG>Default:</STRONG></A> <CODE>AuthDigestNonceFormat ???</CODE><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P><STRONG>Not implemented yet.</STRONG> -<!-- -<P>The AuthDigestNonceFormat directive determines how the nonce is -generated. ---> - -<HR> -<H2><A NAME="authdigestnccheck">AuthDigestNcCheck</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestNcCheck On|Off<BR> -<A - HREF="directive-dict.html#Default" - REL="Help" -><STRONG>Default:</STRONG></A> <CODE>AuthDigestNcCheck Off</CODE><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> server config<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> <EM>Not applicable</EM><BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P><STRONG>Not implemented yet.</STRONG> -<!-- -<P>The AuthDigestNcCheck directive enables or disables the checking of the -nonce-count sent by the server. - -<P>While recommended from a security standpoint, turning this directive -On has one important performance implication. To check the nonce-count -*all* requests (which have an Authorization header, irrespective of -whether they require digest authentication) must be serialized through -a critical section. If the server is handling a large number of -requests which contain the Authorization header then this may noticeably -impact performance. ---> - -<HR> -<H2><A NAME="authdigestalgorithm">AuthDigestAlgorithm</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestAlgorithm MD5|MD5-sess<BR> -<A - HREF="directive-dict.html#Default" - REL="Help" -><STRONG>Default:</STRONG></A> <CODE>AuthDigestAlgorithm MD5</CODE><BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P>The AuthDigestAlgorithm directive selects the algorithm used to calculate -the challenge and response hashes. - -<P><STRONG><EM>MD5-sess</EM> is not correctly implemented yet</STRONG>. -<!-- -<P>To use <EM>MD5-sess</EM> you must first code up the -<VAR>get_userpw_hash()</VAR> function in <VAR>mod_auth_digest.c</VAR> . ---> - -<HR> -<H2><A NAME="authdigestdomain">AuthDigestDomain</A> directive</H2> -<A - HREF="directive-dict.html#Syntax" - REL="Help" -><STRONG>Syntax:</STRONG></A> AuthDigestDomain <EM>URI</em> -[<em>URI</em>] ...<BR> -<A - HREF="directive-dict.html#Context" - REL="Help" -><STRONG>Context:</STRONG></A> directory, .htaccess<BR> -<A - HREF="directive-dict.html#Override" - REL="Help" -><STRONG>Override:</STRONG></A> AuthConfig<BR> -<A - HREF="directive-dict.html#Status" - REL="Help" -><STRONG>Status:</STRONG></A> Experimental<BR> -<A - HREF="directive-dict.html#Module" - REL="Help" -><STRONG>Module:</STRONG></A> mod_auth_digest - -<P>The AuthDigestDomain directive allows you to specify one or more URIs -which are in the same protection space (i.e. use the same realm and -username/password info). The specified URIs are prefixes, i.e. the client -will assume that all URIs "below" these are also protected by the same -username/password. The URIs may be either absolute URIs (i.e. inluding a -scheme, host, port, etc) or relative URIs. - -<P>This directive <em>should</em> always be specified and contain at least -the (set of) root URI(s) for this space. Omitting to do so will cause the -client to send the Authorization header for <em>every request</em> sent to -this server. Apart from increasing the size of the request, it may also -have a detrimental effect on performance if "AuthDigestNcCheck" is on. - -<P>The URIs specified can also point to different servers, in which case -clients (which understand this) will then share username/password info -across multiple servers without prompting the user each time. - - -<!--#include virtual="footer.html" --> -</BODY> -</HTML> - |