diff options
Diffstat (limited to 'docs/manual/mod/mod_auth_digest.html.en')
| -rw-r--r-- | docs/manual/mod/mod_auth_digest.html.en | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/docs/manual/mod/mod_auth_digest.html.en b/docs/manual/mod/mod_auth_digest.html.en index 3bfc26ff..611b3553 100644 --- a/docs/manual/mod/mod_auth_digest.html.en +++ b/docs/manual/mod/mod_auth_digest.html.en @@ -9,7 +9,7 @@ <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> -<script src="../style/scripts/prettify.js" type="text/javascript"> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> </script> <link href="../images/favicon.ico" rel="shortcut icon" /></head> @@ -37,7 +37,14 @@ <p>This module implements HTTP Digest Authentication (<a href="http://www.faqs.org/rfcs/rfc2617.html">RFC2617</a>), and - provides a more secure alternative to <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code>.</p> + provides an alternative to <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> where the + password is not transmitted as cleartext. However, this does + <strong>not</strong> lead to a significant security advantage over + basic authentication. On the other hand, the password storage on the + server is much less secure with digest authentication than with + basic authentication. Therefore, using basic auth and encrypting the + whole connection using <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is a much better + alternative.</p> </div> <div id="quickview"><h3 class="directives">Directives</h3> <ul id="toc"> @@ -74,8 +81,7 @@ <p>Appropriate user (text) files can be created using the <code class="program"><a href="../programs/htdigest.html">htdigest</a></code> tool.</p> - <div class="example"><h3>Example:</h3><pre class="prettyprint lang-config"> -<Location /private/> + <div class="example"><h3>Example:</h3><pre class="prettyprint lang-config"><Location /private/> AuthType Digest AuthName "private area" AuthDigestDomain /private/ http://mirror.my.dom/private2/ @@ -83,14 +89,20 @@ AuthDigestProvider file AuthUserFile /web/auth/.digest_pw Require valid-user -</Location> - </pre> +</Location></pre> </div> <div class="note"><h3>Note</h3> - <p>Digest authentication is more secure than Basic authentication, - but only works with supporting browsers. As of this writing (December - 2012) all major browsers support digest authentication.</p> + <p>Digest authentication was intended to be more secure than basic + authentication, but no longer fulfills that design goal. A + man-in-the-middle attacker can trivially force the browser to downgrade + to basic authentication. And even a passive eavesdropper can brute-force + the password using today's graphics hardware, because the hashing + algorithm used by digest authentication is too fast. Another problem is + that the storage of the passwords on the server is insecure. The contents + of a stolen htdigest file can be used directly for digest authentication. + Therefore using <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to encrypt the whole connection is + strongly recommended.</p> <p><code class="module"><a href="../mod/mod_auth_digest.html">mod_auth_digest</a></code> only works properly on platforms where APR supports shared memory.</p> </div> @@ -140,8 +152,7 @@ authentication</td></tr> contain at least the (set of) root URI(s) for this space. Omitting to do so will cause the client to send the Authorization header for <em>every request</em> sent to this - server. Apart from increasing the size of the request, it may - also have a detrimental effect on performance if <code class="directive"><a href="#authdigestnccheck">AuthDigestNcCheck</a></code> is on.</p> + server.</p> <p>The URIs specified can also point to different servers, in which case clients (which understand this) will then share @@ -248,11 +259,9 @@ of clients</td></tr> express your value as KBytes or MBytes. For example, the following directives are all equivalent:</p> -<pre class="prettyprint lang-config"> -AuthDigestShmemSize 1048576 +<pre class="prettyprint lang-config">AuthDigestShmemSize 1048576 AuthDigestShmemSize 1024K -AuthDigestShmemSize 1M - </pre> +AuthDigestShmemSize 1M</pre> </div> @@ -279,7 +288,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_auth_digest. } })(window, document); //--><!]]></script></div><div id="footer"> -<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); |