Return to authentication.txt CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / lighttpd / doc / outdated

1.4.33

    1: ====================
    2: Using Authentication
    3: ====================
    4: 
    5: ----------------
    6: Module: mod_auth
    7: ----------------
    8: 
    9: :Author: Jan Kneschke
   10: :Date: $Date: 2013/10/14 10:32:48 $
   11: :Revision: $Revision: 1.1.1.1 $
   12: 
   13: :abstract:
   14:   The auth module provides ...
   15: 
   16: .. meta::
   17:   :keywords: lighttpd, authentication
   18: 
   19: .. contents:: Table of Contents
   20: 
   21: Description
   22: ===========
   23: 
   24: Supported Methods
   25: -----------------
   26: 
   27: lighttpd supportes both authentication method described by
   28: RFC 2617:
   29: 
   30: basic
   31: `````
   32: 
   33: The Basic method transfers the username and the password in
   34: cleartext over the network (base64 encoded) and might result
   35: in security problems if not used in conjunction with a crypted
   36: channel between client and server.
   37: 
   38: digest
   39: ``````
   40: 
   41: The Digest method only transfers a hashed value over the
   42: network which performs a lot of work to harden the
   43: authentication process in insecure networks.
   44: 
   45: Backends
   46: --------
   47: 
   48: Depending on the method lighttpd provides various way to store
   49: the credentials used for the authentication.
   50: 
   51: for basic auth:
   52: 
   53: - plain_
   54: - htpasswd_
   55: - htdigest_
   56: - ldap_
   57: 
   58: for digest auth:
   59: 
   60: - plain_
   61: - htdigest_
   62: 
   63: 
   64: plain
   65: `````
   66: 
   67: A file which contains username and the cleartext password
   68: seperated by a colon. Each entry is terminated by a single
   69: newline.::
   70: 
   71:   e.g.:
   72:   agent007:secret
   73: 
   74: 
   75: htpasswd
   76: ````````
   77: 
   78: A file which contains username and the crypt()'ed password
   79: seperated by a colon. Each entry is terminated by a single
   80: newline. ::
   81: 
   82:   e.g.:
   83:   agent007:XWY5JwrAVBXsQ
   84: 
   85: You can use htpasswd from the apache distribution to manage
   86: those files. ::
   87: 
   88:   $ htpasswd lighttpd.user.htpasswd agent007
   89: 
   90: 
   91: htdigest
   92: ````````
   93: 
   94: A file which contains username, realm and the md5()'ed
   95: password seperated by a colon. Each entry is terminated
   96: by a single newline. ::
   97: 
   98:   e.g.:
   99:   agent007:download area:8364d0044ef57b3defcfa141e8f77b65
  100: 
  101: You can use htdigest from the apache distribution to manage
  102: those files. ::
  103: 
  104:   $ htdigest lighttpd.user.htdigest 'download area' agent007
  105: 
  106: Using md5sum can also generate the password-hash: ::
  107: 
  108:   #!/bin/sh
  109:   user=$1
  110:   realm=$2
  111:   pass=$3
  112: 
  113:   hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`
  114: 
  115:   echo "$user:$realm:$hash"
  116: 
  117: To use it:
  118: 
  119:   $ htdigest.sh 'agent007' 'download area' 'secret'
  120:   agent007:download area:8364d0044ef57b3defcfa141e8f77b65
  121: 
  122: 
  123: 
  124: ldap
  125: ````
  126: 
  127: the ldap backend is basically performing the following steps
  128: to authenticate a user
  129: 
  130: 1. connect anonymously  (at plugin init)
  131: 2. get DN for filter = username
  132: 3. auth against ldap server
  133: 4. disconnect
  134: 
  135: if all 4 steps are performed without any error the user is
  136: authenticated
  137: 
  138: Configuration
  139: =============
  140: 
  141: ::
  142: 
  143:   ## debugging
  144:   # 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging
  145:   auth.debug                 = 0
  146: 
  147:   ## type of backend
  148:   # plain, htpasswd, ldap or htdigest
  149:   auth.backend               = "htpasswd"
  150: 
  151:   # filename of the password storage for
  152:   # plain
  153:   auth.backend.plain.userfile = "lighttpd-plain.user"
  154: 
  155:   ## for htpasswd
  156:   auth.backend.htpasswd.userfile = "lighttpd-htpasswd.user"
  157: 
  158:   ## for htdigest
  159:   auth.backend.htdigest.userfile = "lighttpd-htdigest.user"
  160: 
  161:   ## for ldap
  162:   # the $ in auth.backend.ldap.filter is replaced by the
  163:   # 'username' from the login dialog
  164:   auth.backend.ldap.hostname = "localhost"
  165:   auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
  166:   auth.backend.ldap.filter   = "(uid=$)"
  167:   # if enabled, startTLS needs a valid (base64-encoded) CA
  168:   # certificate
  169:   auth.backend.ldap.starttls   = "enable"
  170:   auth.backend.ldap.ca-file   = "/etc/CAcertificate.pem"
  171: 
  172:   ## restrictions
  173:   # set restrictions:
  174:   #
  175:   # ( <left-part-of-the-url> =>
  176:   #   ( "method" => "digest"/"basic",
  177:   #     "realm" => <realm>,
  178:   #     "require" => "user=<username>" )
  179:   # )
  180:   #
  181:   # <realm> is a string to display in the dialog
  182:   #         presented to the user and is also used for the
  183:   #         digest-algorithm and has to match the realm in the
  184:   #         htdigest file (if used)
  185:   #
  186: 
  187:   auth.require = ( "/download/" =>
  188:                    (
  189: 		     "method"  => "digest",
  190: 		     "realm"   => "download archiv",
  191: 		     "require" => "user=agent007|user=agent008"
  192: 		   ),
  193: 		   "/server-info" =>
  194:                    (
  195: 		     "method"  => "digest",
  196: 		     "realm"   => "download archiv",
  197: 		     "require" => "valid-user"
  198: 		   )
  199:                  )
  200: 
  201: Limitations
  202: ============
  203: 
  204: - The implementation of digest method is currently not
  205:   completely compliant with the standard as it still allows
  206:   a replay attack.
  207: