Authentication Directives and Password Considerations - From Apache: The Definitive Guide (7/7)
  [previous] |
Apache: The Definitive Guide, Chapter 5: Authentication
Passwords Under Win32
Since
Win32 lacks an encryption function, passwords are stored in plain
text. This is not very secure, but one hopes it will change for the
better. The passwords would be stored in the file named by the
AuthUserFile directive, and
Bill's entry would be:
bill:theftexcept that in real life you would use a better password.
Passwords over the Web
The security of these passwords on your machine becomes somewhat irrelevant when we realize that they are transmitted unencrypted over the Web. The Base64 encoding used for Basic password transmission keeps passwords from being readable at a glance, but it is very easily decoded. Authentication, as described here, should only be used for the most trivial security tasks. If a compromised password could cause any serious trouble, then it is essential to encrypt it using SSL — see Chapter 11.
From the Client's Point of View
If you run Apache using httpd1.conf, you will find you can access www.butterthlies.comas before. But if you go to sales.butterthlies.com,you will have to give a username and password.
The Config File
The file is httpd2.conf. These are the relevant bits:
...
AuthType Digest
AuthName darkness
AuthDigestDomain http://sales.butterthlies.com
AuthDigestFile /usr/www/APACHE3/ok_digest/digest_usersRun it with ./go 2. At the
client end, Microsoft Internet Explorer (MSIE) v5 displayed a
password screen decorated with a key and worked as you would expect;
Netscape v4.05 asked for a username and password in the usual way and
returned error 401 "Authorization
required."
CGI Scripts
Authentication (both Basic and Digest) can also protect CGI scripts.
Simply provide a suitable <Directory
.../cgi-bin> block.
Variations on a Theme
You may find that logging in again is a bit more elaborate than you would think. We found that both MSIE and Netscape were annoyingly helpful in remembering the password used for the last login and using it again. To make sure you are really exercising the security features, you have to exit your browser completely each time and reload it to get a fresh crack.
You might like to try the effect of inserting these lines in either of the previous Config files:
....
#require valid-user
#require user daphne bill
#require group cleaners
#require group directors
...and uncommenting them one line at a time (remember to kill and restart Apache each time).
[previous] |
Created: February 18, 2003
Revised: February 18, 2003
URL: http://webreference.com/internet/apache/chap5/1/7.html
