Authentication Directives and Password Considerations - From Apache: The Definitive Guide (7/7) | WebReference

Authentication Directives and Password Considerations - From Apache: The Definitive Guide (7/7)

To page 1To page 2To page 3To page 4To page 5To page 6current page
[previous]

Apache: The Definitive Guide, Chapter 5: Authentication

Passwords Under Win32

Since Win32 lacks an encryption function, passwords are stored in plain text. This is not very secure, but one hopes it will change for the better. The passwords would be stored in the file named by the AuthUserFile directive, and Bill's entry would be:

bill:theft

except that in real life you would use a better password.

Passwords over the Web

The security of these passwords on your machine becomes somewhat irrelevant when we realize that they are transmitted unencrypted over the Web. The Base64 encoding used for Basic password transmission keeps passwords from being readable at a glance, but it is very easily decoded. Authentication, as described here, should only be used for the most trivial security tasks. If a compromised password could cause any serious trouble, then it is essential to encrypt it using SSL — see Chapter 11.

From the Client's Point of View

If you run Apache using httpd1.conf, you will find you can access www.butterthlies.comas before. But if you go to sales.butterthlies.com,you will have to give a username and password.

The Config File

The file is httpd2.conf. These are the relevant bits:

...
AuthType Digest 
AuthName darkness
AuthDigestDomain  http://sales.butterthlies.com
AuthDigestFile /usr/www/APACHE3/ok_digest/digest_users

Run it with ./go 2. At the client end, Microsoft Internet Explorer (MSIE) v5 displayed a password screen decorated with a key and worked as you would expect; Netscape v4.05 asked for a username and password in the usual way and returned error 401 "Authorization required."

CGI Scripts

Authentication (both Basic and Digest) can also protect CGI scripts. Simply provide a suitable <Directory .../cgi-bin> block.

Variations on a Theme

You may find that logging in again is a bit more elaborate than you would think. We found that both MSIE and Netscape were annoyingly helpful in remembering the password used for the last login and using it again. To make sure you are really exercising the security features, you have to exit your browser completely each time and reload it to get a fresh crack.

You might like to try the effect of inserting these lines in either of the previous Config files:

....
#require valid-user 
#require user daphne bill 
#require group cleaners 
#require group directors
...

and uncommenting them one line at a time (remember to kill and restart Apache each time).


To page 1To page 2To page 3To page 4To page 5To page 6current page
[previous]

Created: February 18, 2003
Revised: February 18, 2003

URL: http://webreference.com/internet/apache/chap5/1/7.html