diff options
Diffstat (limited to 'doc/authentication.txt')
| -rw-r--r-- | doc/authentication.txt | 104 |
1 files changed, 52 insertions, 52 deletions
diff --git a/doc/authentication.txt b/doc/authentication.txt index 2a11f64..c375ece 100644 --- a/doc/authentication.txt +++ b/doc/authentication.txt @@ -7,15 +7,15 @@ Module: mod_auth ---------------- :Author: Jan Kneschke -:Date: $Date: 2006-01-12 19:34:26 +0100 (Thu, 12 Jan 2006) $ -:Revision: $Revision: 940 $ +:Date: $Date: 2006-10-04 15:26:23 +0200 (Wed, 04 Oct 2006) $ +:Revision: $Revision: 1371 $ :abstract: The auth module provides ... - + .. meta:: :keywords: lighttpd, authentication - + .. contents:: Table of Contents Description @@ -24,85 +24,85 @@ Description Supported Methods ----------------- -lighttpd supportes both authentication method described by -RFC 2617: +lighttpd supportes both authentication method described by +RFC 2617: basic ````` -The Basic method transfers the username and the password in -cleartext over the network (base64 encoded) and might result -in security problems if not used in conjunction with a crypted +The Basic method transfers the username and the password in +cleartext over the network (base64 encoded) and might result +in security problems if not used in conjunction with a crypted channel between client and server. digest `````` -The Digest method only transfers a hashed value over the -network which performs a lot of work to harden the +The Digest method only transfers a hashed value over the +network which performs a lot of work to harden the authentication process in insecure networks. Backends -------- -Depending on the method lighttpd provides various way to store +Depending on the method lighttpd provides various way to store the credentials used for the authentication. for basic auth: - plain_ -- htpasswd_ +- htpasswd_ - htdigest_ - ldap_ - + for digest auth: - plain_ - htdigest_ - + plain ````` -A file which contains username and the cleartext password -seperated by a colon. Each entry is terminated by a single +A file which contains username and the cleartext password +seperated by a colon. Each entry is terminated by a single newline.:: e.g.: agent007:secret - + htpasswd ```````` -A file which contains username and the crypt()'ed password -seperated by a colon. Each entry is terminated by a single +A file which contains username and the crypt()'ed password +seperated by a colon. Each entry is terminated by a single newline. :: e.g.: agent007:XWY5JwrAVBXsQ -You can use htpasswd from the apache distribution to manage +You can use htpasswd from the apache distribution to manage those files. :: - + $ htpasswd lighttpd.user.htpasswd agent007 - - + + htdigest ```````` -A file which contains username, realm and the md5()'ed -password seperated by a colon. Each entry is terminated +A file which contains username, realm and the md5()'ed +password seperated by a colon. Each entry is terminated by a single newline. :: - + e.g.: agent007:download area:8364d0044ef57b3defcfa141e8f77b65 - -You can use htdigest from the apache distribution to manage + +You can use htdigest from the apache distribution to manage those files. :: $ htdigest lighttpd.user.htdigest 'download area' agent007 - + Using md5sum can also generate the password-hash: :: #!/bin/sh @@ -118,21 +118,21 @@ To use it: $ htdigest.sh 'agent007' 'download area' 'secret' agent007:download area:8364d0044ef57b3defcfa141e8f77b65 - - - + + + ldap ```` -the ldap backend is basically performing the following steps +the ldap backend is basically performing the following steps to authenticate a user - + 1. connect anonymously (at plugin init) 2. get DN for filter = username 3. auth against ldap server 4. disconnect - -if all 4 steps are performed without any error the user is + +if all 4 steps are performed without any error the user is authenticated Configuration @@ -143,28 +143,28 @@ Configuration ## debugging # 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging auth.debug = 0 - - ## type of backend + + ## type of backend # plain, htpasswd, ldap or htdigest auth.backend = "htpasswd" - # filename of the password storage for + # filename of the password storage for # plain auth.backend.plain.userfile = "lighttpd-plain.user" - + ## for htpasswd auth.backend.htpasswd.userfile = "lighttpd-htpasswd.user" - + ## for htdigest auth.backend.htdigest.userfile = "lighttpd-htdigest.user" ## for ldap - # the $ in auth.backend.ldap.filter is replaced by the + # the $ in auth.backend.ldap.filter is replaced by the # 'username' from the login dialog auth.backend.ldap.hostname = "localhost" auth.backend.ldap.base-dn = "dc=my-domain,dc=com" auth.backend.ldap.filter = "(uid=$)" - # if enabled, startTLS needs a valid (base64-encoded) CA + # if enabled, startTLS needs a valid (base64-encoded) CA # certificate auth.backend.ldap.starttls = "enable" auth.backend.ldap.ca-file = "/etc/CAcertificate.pem" @@ -178,20 +178,20 @@ Configuration # "require" => "user=<username>" ) # ) # - # <realm> is a string to display in the dialog - # presented to the user and is also used for the - # digest-algorithm and has to match the realm in the + # <realm> is a string to display in the dialog + # presented to the user and is also used for the + # digest-algorithm and has to match the realm in the # htdigest file (if used) # - auth.require = ( "/download/" => - ( + auth.require = ( "/download/" => + ( "method" => "digest", "realm" => "download archiv", "require" => "user=agent007|user=agent008" ), - "/server-info" => - ( + "/server-info" => + ( "method" => "digest", "realm" => "download archiv", "require" => "valid-user" @@ -201,7 +201,7 @@ Configuration Limitations ============ -- The implementation of digest method is currently not +- The implementation of digest method is currently not completely compliant with the standard as it still allows a replay attack. |