You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2004/04/15 17:56:52 UTC
cvs commit: httpd-docs-1.3/htdocs/manual/mod core.html.en mod_digest.html
jim 2004/04/15 08:56:52
Modified: htdocs/manual/mod core.html.en mod_digest.html
Log:
Document AuthDigestRealmSeed
Revision Changes Path
1.260 +42 -0 httpd-docs-1.3/htdocs/manual/mod/core.html.en
Index: core.html.en
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/core.html.en,v
retrieving revision 1.259
retrieving revision 1.260
diff -u -r1.259 -r1.260
--- core.html.en 29 Jan 2004 17:01:53 -0000 1.259
+++ core.html.en 15 Apr 2004 15:56:50 -0000 1.260
@@ -37,6 +37,8 @@
<li><a href="#authname">AuthName</a></li>
+ <li><a href="#AuthDigestRealmSeed">AuthDigestRealmSeed</a></li>
+
<li><a href="#authtype">AuthType</a></li>
<li><a href="#bindaddress">BindAddress</a></li>
@@ -500,6 +502,7 @@
href="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a>,
<a href="mod_auth.html#authgroupfile">AuthGroupFile</a>, <a
href="#authname">AuthName</a>, <a
+ href="#AuthDigestRealmSeed">AuthDigestRealmSeed</a>, <a
href="#authtype">AuthType</a>, <a
href="mod_auth.html#authuserfile">AuthUserFile</a>, <a
href="#require">Require</a>, <em>etc.</em>).</dd>
@@ -595,6 +598,42 @@
Access Control</a></p>
<hr />
+ <h2><a id="AuthDigestRealmSeed" name="AuthDigestRealmSeed">AuthDigestRealmSeed
+ directive</a></h2>
+
+ <a href="directive-dict.html#Syntax"
+ rel="Help"><strong>Syntax:</strong></a> AuthDigestRealmSeed
+ <em>secret-real-string</em><br />
+ <a href="directive-dict.html#Context"
+ rel="Help"><strong>Context:</strong></a> directory,
+ .htaccess<br />
+ <a href="directive-dict.html#Override"
+ rel="Help"><strong>Override:</strong></a> AuthConfig<br />
+ <a href="directive-dict.html#Status"
+ rel="Help"><strong>Status:</strong></a> core
+
+ <p>This directive sets a per realm secret nonce prefix
+ which is used to ensure that a captured username, password
+ and realm string during a Digest exchange cannot
+ be replayed at other places.
+ </p>
+ <p>It only applies to <a href="mod_digest.html">mod_digest.html</a>,
+ the experimental <a href="mod_auth_digest.html">mod_auth_digest.html</a>
+ implements its own (more advanced and also time sensitive) replay protection.
+ </p>
+
+ It must be accompanied by <a href="#authtype">AuthType</a> of
+ type Digest, one or more
+ <a href="#require">Require</a> directives, and directives such
+ as <a href="mod_auth.html#authuserfile">AuthUserFile</a> and <a
+ href="mod_auth.html#authgroupfile">AuthGroupFile</a> to
+ work.</p>
+
+ <p><strong>See also:</strong> <a
+ href="../howto/auth.html">Authentication, Authorization, and
+ Access Control</a></p>
+ <hr />
+
<h2><a id="authtype" name="authtype">AuthType
directive</a></h2>
@@ -618,6 +657,9 @@
as <a href="mod_auth.html#authuserfile">AuthUserFile</a> and <a
href="mod_auth.html#authgroupfile">AuthGroupFile</a> to
work.</p>
+
+ <p>When AuthDigest is used an <a href="#AuthDigestRealmSeed">AuthDigestRealmSeed</a>
+ should also be set.</p>
<p><strong>See also:</strong> <a
href="../howto/auth.html">Authentication, Authorization, and
1.15 +19 -8 httpd-docs-1.3/htdocs/manual/mod/mod_digest.html
Index: mod_digest.html
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/mod_digest.html,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- mod_digest.html 23 Jan 2002 02:51:03 -0000 1.14
+++ mod_digest.html 15 Apr 2004 15:56:52 -0000 1.15
@@ -48,17 +48,28 @@
<p>Using MD5 Digest authentication is very simple. Simply set
up authentication normally. However, use "AuthType Digest" and
"AuthDigestFile" instead of the normal "AuthType Basic" and
- "AuthUserFile". Everything else should remain the same.</p>
+ "AuthUserFile".</p>
+
+ <p>As to make sure that replay is not possible across
+ sections of the site, or across sites (assuming a realm,
+ userid and password are valid in that wider context) a
+ secret nonce prefix can be configured with the
+ core directive <a href="core.html#AuthDigestRealmSeed">AuthDigestRealmSeed</a>.
+ </p>
+ <p>If none if configured a sensible, but not particular
+ secure, default is used. When used in load balancing
+ situations the prefix should be shared across servers.
+ </p>
+ <p>The experimental <a href="mod_auth_digest.html">mod_auth_digest</a>
+ module offers a number of additinal protections against replay.
+ </p>
+
+ <p>Everything else should remain the same.</p>
<p>MD5 authentication provides a more secure password system,
but only works with supporting browsers. As of this writing
- (January 2002), the only major browsers which support digest
- authentication are <a href="http://www.opera.com/">Opera 4.0</a>,
- <a href="http://www.microsoft.com/windows/ie/">MS Internet
- Explorer 5.0</a> and <a href="http://www.w3.org/Amaya/">Amaya</a>.
- Therefore, we do not recommend using this feature on a large
- Internet site. However, for personal and intra-net use, where
- browser users can be controlled, it is ideal.</p>
+ (December 2003), most major browsers support digest authentication.
+ </p>
<p>See also <a href="mod_auth_digest.html">mod_auth_digest</a>,
which is an updated version of this module, in order to determine