Mod auth » History » Revision 20
Revision 19 (Anonymous, 2007-10-11 17:24) → Revision 20/91 (Anonymous, 2007-10-11 17:30)
[[TracNav(DocsToc)]] {{{ #!rst ==================== Using Authentication ==================== ---------------- Module: mod_auth ---------------- .. meta:: :keywords: lighttpd, authentication .. contents:: Table of Contents Description =========== Supported Methods ----------------- lighttpd supports both authentication methods described by RFC 2617: basic ````` The Basic method transfers the username and the password in cleartext over the network (base64 encoded) and might result in security problems if not used in conjunction with a crypted channel between client and server. digest `````` The Digest method only transfers a hashed value over the network which performs a lot of work to harden the authentication process in insecure networks. Backends -------- Depending on the method lighttpd provides various way to store the credentials used for the authentication. for basic auth: - plain_ - htpasswd_ - htdigest_ - ldap_ for digest auth: - plain_ - htdigest_ plain ````` A file which contains username and the cleartext password seperated by a colon. Each entry is terminated by a single newline.:: e.g.: agent007:secret htpasswd ```````` A file which contains username and the crypt()'ed password seperated by a colon. Each entry is terminated by a single newline. :: e.g.: agent007:XWY5JwrAVBXsQ You can use htpasswd from the apache distribution to manage those files. :: $ htpasswd lighttpd.user.htpasswd agent007 Keep in mind that not all versions of htpasswd default to use Apache's modified MD5 algorithm for passwords, which is required by lighttpd. htdigest ```````` A file which contains username, realm and the md5()'ed password seperated by a colon. Each entry is terminated by a single newline. :: e.g.: agent007:download area:8364d0044ef57b3defcfa141e8f77b65 You can use htdigest from the apache distribution to manage those files. :: $ htdigest lighttpd.user.htdigest 'download area' agent007 Using md5sum can also generate the password-hash: :: #!/bin/sh user=$1 realm=$2 pass=$3 hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32` echo "$user:$realm:$hash" To use it (spaces between arguments!) : $ htdigest.sh 'agent007' 'download area' 'secret' agent007:download area:8364d0044ef57b3defcfa141e8f77b65 ldap ```` the ldap backend is performing the following steps to authenticate a user 1. Init the LDAP connection 2. Set Protocol version to LDAPv3 3. If StartTLS if configured -> Configure CA certificate if supplied 4. If StartTLS if configured -> Activate TLS using StartTLS 5. If Bind DN is included -> Simple bind with Bind-DN and Bind-Password 6. If there is no Bind-DN -> Simple bind anonymously 7. Try up to two times a SUBTREE search of the base-DN with the filter applied. 8. Retrieve the DN of the user matching the filter. 9. Finally, re-init the connection (following the steps above), this time using the DN found using the filter and the password supplied by the user. if all 9 steps are performed without any error the user is authenticated Configuration ============= :: ## debugging # 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging auth.debug = 0 ## type of backend # plain, htpasswd, ldap or htdigest auth.backend = "htpasswd" # filename of the password storage for # plain auth.backend.plain.userfile = "lighttpd-plain.user" ## for htpasswd auth.backend.htpasswd.userfile = "/full/path/to/lighttpd-htpasswd.user" ## for htdigest auth.backend.htdigest.userfile = "lighttpd-htdigest.user" ## for ldap # the $ in auth.backend.ldap.filter is replaced by the # 'username' from the login dialog auth.backend.ldap.hostname = "localhost" auth.backend.ldap.base-dn = "dc=my-domain,dc=com" auth.backend.ldap.filter = "(uid=$)" # if enabled, startTLS needs a valid (base64-encoded) CA # certificate unless the certificate has been stored # in a c_hashed directory and referenced in ldap.conf auth.backend.ldap.starttls = "enable" auth.backend.ldap.ca-file = "/etc/CAcertificate.pem" # If you need to use a custom bind to access the server auth.backend.ldap.bind-dn = "uid=admin,dc=my-domain,dc=com" auth.backend.ldap.bind-pw = "mysecret" # If you want to allow empty passwords # 0 for requiring passwords, 1 for allowing empty passwords auth.backend.ldap.allow-empty-pw = 0 ## restrictions # set restrictions: # # ( <left-part-of-the-url> => # ( "method" => "htdigest"/"basic", # "realm" => <realm>, # "require" => "user=<username>" ) # ) # # <realm> is a string to display in the dialog # presented to the user and is also used for the # digest-algorithm and has to match the realm in the # htdigest file (if used) # auth.require = ( "/download/" => ( # method must be either basic or digest "method" => "digest", "realm" => "download archiv", "require" => "user=agent007|user=agent008" ), "/server-info" => ( "method" => "digest", "realm" => "download archiv", "require" => "valid-user" ) ) # Or, using regular expressions: $HTTP["url"] =~ "^/download|^/server-info" { auth.require = ( "" => ( "method" => "digest", "digest" "realm" => "download archiv", "require" => "user=agent007|user=agent008" ) ) } Limitations ============ - The implementation of digest method is currently not completely compliant with the standard as it still allows a replay attack. - LDAP authentication only allows alphanumeric uid's that do not contain punctuations. i.e.) john.doe will come up as "ldap: invalid character (a-zA-Z0-9 allowed) in username: john.doe" - There seems to be no reasonable logging of failed login attempts yet See Also ======== }}} * [wiki:HowToAuthenticationFromMultipleFiles Authenticate from Multiple Password Files]