| ==================== |
| Using Authentication |
| ==================== |
| |
| ---------------- |
| Module: mod_auth |
| ---------------- |
| |
| :Author: Jan Kneschke |
| :Date: $Date: 2006-10-04 15:26:23 +0200 (Wed, 04 Oct 2006) $ |
| :Revision: $Revision: 1371 $ |
| |
| :abstract: |
| The auth module provides ... |
| |
| .. meta:: |
| :keywords: lighttpd, authentication |
| |
| .. contents:: Table of Contents |
| |
| Description |
| =========== |
| |
| Supported Methods |
| ----------------- |
| |
| lighttpd supportes both authentication method described by |
| RFC 2617: |
| |
| basic |
| ````` |
| |
| The Basic method transfers the username and the password in |
| cleartext over the network (base64 encoded) and might result |
| in security problems if not used in conjunction with a crypted |
| channel between client and server. |
| |
| digest |
| `````` |
| |
| The Digest method only transfers a hashed value over the |
| network which performs a lot of work to harden the |
| authentication process in insecure networks. |
| |
| Backends |
| -------- |
| |
| Depending on the method lighttpd provides various way to store |
| the credentials used for the authentication. |
| |
| for basic auth: |
| |
| - plain_ |
| - htpasswd_ |
| - htdigest_ |
| - ldap_ |
| |
| for digest auth: |
| |
| - plain_ |
| - htdigest_ |
| |
| |
| plain |
| ````` |
| |
| A file which contains username and the cleartext password |
| seperated by a colon. Each entry is terminated by a single |
| newline.:: |
| |
| e.g.: |
| agent007:secret |
| |
| |
| htpasswd |
| ```````` |
| |
| A file which contains username and the crypt()'ed password |
| seperated by a colon. Each entry is terminated by a single |
| newline. :: |
| |
| e.g.: |
| agent007:XWY5JwrAVBXsQ |
| |
| You can use htpasswd from the apache distribution to manage |
| those files. :: |
| |
| $ htpasswd lighttpd.user.htpasswd agent007 |
| |
| |
| htdigest |
| ```````` |
| |
| A file which contains username, realm and the md5()'ed |
| password seperated by a colon. Each entry is terminated |
| by a single newline. :: |
| |
| e.g.: |
| agent007:download area:8364d0044ef57b3defcfa141e8f77b65 |
| |
| You can use htdigest from the apache distribution to manage |
| those files. :: |
| |
| $ htdigest lighttpd.user.htdigest 'download area' agent007 |
| |
| Using md5sum can also generate the password-hash: :: |
| |
| #!/bin/sh |
| user=$1 |
| realm=$2 |
| pass=$3 |
| |
| hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32` |
| |
| echo "$user:$realm:$hash" |
| |
| To use it: |
| |
| $ htdigest.sh 'agent007' 'download area' 'secret' |
| agent007:download area:8364d0044ef57b3defcfa141e8f77b65 |
| |
| |
| |
| ldap |
| ```` |
| |
| the ldap backend is basically performing the following steps |
| to authenticate a user |
| |
| 1. connect anonymously (at plugin init) |
| 2. get DN for filter = username |
| 3. auth against ldap server |
| 4. disconnect |
| |
| if all 4 steps are performed without any error the user is |
| authenticated |
| |
| Configuration |
| ============= |
| |
| :: |
| |
| ## debugging |
| # 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging |
| auth.debug = 0 |
| |
| ## type of backend |
| # plain, htpasswd, ldap or htdigest |
| auth.backend = "htpasswd" |
| |
| # filename of the password storage for |
| # plain |
| auth.backend.plain.userfile = "lighttpd-plain.user" |
| |
| ## for htpasswd |
| auth.backend.htpasswd.userfile = "lighttpd-htpasswd.user" |
| |
| ## for htdigest |
| auth.backend.htdigest.userfile = "lighttpd-htdigest.user" |
| |
| ## for ldap |
| # the $ in auth.backend.ldap.filter is replaced by the |
| # 'username' from the login dialog |
| auth.backend.ldap.hostname = "localhost" |
| auth.backend.ldap.base-dn = "dc=my-domain,dc=com" |
| auth.backend.ldap.filter = "(uid=$)" |
| # if enabled, startTLS needs a valid (base64-encoded) CA |
| # certificate |
| auth.backend.ldap.starttls = "enable" |
| auth.backend.ldap.ca-file = "/etc/CAcertificate.pem" |
| |
| ## restrictions |
| # set restrictions: |
| # |
| # ( <left-part-of-the-url> => |
| # ( "method" => "digest"/"basic", |
| # "realm" => <realm>, |
| # "require" => "user=<username>" ) |
| # ) |
| # |
| # <realm> is a string to display in the dialog |
| # presented to the user and is also used for the |
| # digest-algorithm and has to match the realm in the |
| # htdigest file (if used) |
| # |
| |
| auth.require = ( "/download/" => |
| ( |
| "method" => "digest", |
| "realm" => "download archiv", |
| "require" => "user=agent007|user=agent008" |
| ), |
| "/server-info" => |
| ( |
| "method" => "digest", |
| "realm" => "download archiv", |
| "require" => "valid-user" |
| ) |
| ) |
| |
| Limitations |
| ============ |
| |
| - The implementation of digest method is currently not |
| completely compliant with the standard as it still allows |
| a replay attack. |
| |