You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Karr <br...@brainbuz.org> on 2011/12/24 02:17:12 UTC
[users@httpd] mod_auth_form and digest authentication
Version of Apache 2.3.15
The documentation for mod_auth_form says that it works with digest or basic
authentication. I have it working with basic authentication from a database,
but I can't find anything about how to switch over to digest. There are two
reasons for wanting to do this, first if your users already have passwords
encrypted in digest format, second the normal digest HTTP_AUTHORIZATION does
not include the password in clear text and would not need mod_session_crypto
if that value were used for the session.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_form and digest authentication
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> I couldn't figure out how to get digest authentication working with
> mod_auth_form, the documentation mentions it once, but offers no
> specifics and I was unable to guess it (I even tried looking at the
> source for comments that might help).
>
> Now as to why I would rather use digest authentication, I have been
> unsuccessful in compiling mod_session_crypto. A site that had been
Why? -- Did you use the latest apr-util?
> using Digest would obviously have the bigger concern of preserving
> user passwords. It happens that for the property I'm hoping to
> deploy mod_auth_form on the next release I have most of the
> passwords in both digest and htpasswd compatible formats. Based on
> the pace of the release cycle I don't expect an official Ubuntu
> package until end of October 2012, since apache httpd 2.3 isn't in
> Sid I can't assume a working package through Debian anytime soon.
It will be in Sid as soon as we release a "stable" release. sf
(Stefan Fritsch) is the Debian Maintainer of the packages and one
of our busiest committers.
> I would prefer the stronger cryptography of mod_session_crypto, or a
> cryptographically enhanced version of digest if one was available.
> Since I store both password forms in my database I can use digest
> now and then switch later.
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_auth_form and digest authentication
Posted by John Karr <br...@brainbuz.org>.
I couldn't figure out how to get digest authentication working with mod_auth_form, the documentation mentions it once, but offers no specifics and I was unable to guess it (I even tried looking at the source for comments that might help).
Now as to why I would rather use digest authentication, I have been unsuccessful in compiling mod_session_crypto. A site that had been using Digest would obviously have the bigger concern of preserving user passwords. It happens that for the property I'm hoping to deploy mod_auth_form on the next release I have most of the passwords in both digest and htpasswd compatible formats. Based on the pace of the release cycle I don't expect an official Ubuntu package until end of October 2012, since apache httpd 2.3 isn't in Sid I can't assume a working package through Debian anytime soon.
I would prefer the stronger cryptography of mod_session_crypto, or a cryptographically enhanced version of digest if one was available. Since I store both password forms in my database I can use digest now and then switch later.
-----Original Message-----
From: Igor Galić [mailto:i.galic@brainsware.org]
Sent: Monday, December 26, 2011 7:29 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] mod_auth_form and digest authentication
----- Original Message -----
> Version of Apache 2.3.15
>
> The documentation for mod_auth_form says that it works with digest or
> basic
Actually, mod_auth_form should work with any kind of authentication system that you come up with, since it essentially gives up control to you and your application
> authentication. I have it working with basic authentication from a
> database, but I can't find anything about how to switch over to
> digest. There are two reasons for wanting to do this, first if your
> users already have passwords encrypted in digest format, second the
> normal digest HTTP_AUTHORIZATION does not include the password in
> clear text and would not need mod_session_crypto if that value were
> used for the session.
Is there a specific reason why you do not want to, or cannot use mod_session_crypto?
So long,
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_form and digest authentication
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Version of Apache 2.3.15
>
> The documentation for mod_auth_form says that it works with digest or
> basic
Actually, mod_auth_form should work with any kind of authentication
system that you come up with, since it essentially gives up control
to you and your application
> authentication. I have it working with basic authentication from a
> database,
> but I can't find anything about how to switch over to digest. There
> are two
> reasons for wanting to do this, first if your users already have
> passwords
> encrypted in digest format, second the normal digest
> HTTP_AUTHORIZATION does
> not include the password in clear text and would not need
> mod_session_crypto
> if that value were used for the session.
Is there a specific reason why you do not want to, or cannot
use mod_session_crypto?
So long,
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org