Mod auth » History » Revision 59
« Previous |
Revision 59/91
(diff)
| Next »
gstrauss, 2020-06-12 13:20
Module mod_auth - Using Authentication¶
- Table of contents
- Module mod_auth - Using Authentication
Description¶
Authentication and Authorization are very important concepts. lighttpd provides multiple methods and backends for authentication and authorization. You need not understand them all. Instead, choose those that meet your requirements.
Quick Start¶
Here is a simplistic configuration which is not very secure, but is a starting point to get something working and then improve it. Create the auth file and start lighttpd with the following configuration. The entire site will require authentication. Open your browser to the site and log in with username "agent007" and password "secret".echo "agent007:secret" > /tmp/lighttpd-plain.user
# insecure location; temporary
server.modules += ("mod_auth", "mod_authn_file") auth.backend = "plain" auth.backend.plain.userfile = "/tmp/lighttpd-plain.user" # insecure location; temporary; FIX to something better auth.require = ( "" => ("method" => "basic", "realm" => "example", "require" => "valid-user") )
HTTP Auth methods¶
lighttpd supports authentication methods described by RFC 7616 and RFC 7617:
basic¶
The Basic method transfers the username and the password in cleartext over the network (base64 encoded). It is strongly recommended that Basic auth be used over an encrypted channel (HTTPS) between client and server.
digest¶
The Digest method only transfers a hashed value over the network which is much safer than Basic auth, but still cryptographically weak. It is strongly recommended that Digest auth be used over an encrypted channel (HTTPS) between client and server.
HTTP Digest Auth should be preferred over HTTP Basic Auth.
HTTP Auth backends¶
Depending on the method lighttpd provides various way to store the credentials used for authentication.
For basic auth:- plain
- htpasswd
- htdigest
- ldap
- gssapi
- mysql
- pam
- sasl
- plain
- htdigest
plain (mod_authn_file)¶
A file which contains username and the cleartext password separated by a colon. Each entry is terminated by a single newline.
e.g.: agent007:secret
htpasswd (mod_authn_file)¶
A file which contains username and the crypt()'ed password separated by a colon. Each entry is terminated by a single newline.
e.g.: agent007:XWY5JwrAVBXsQ
You can use htpasswd from the apache distribution to manage those files.$ htpasswd lighttpd.user.htpasswd agent007
Keep in mind that not all versions of htpasswd default to use Apache's modified MD5 algorithm for passwords, which is required by lighttpd. You can force most to use MD5 with: $ htpasswd -m <pwfile> <username>
htdigest (mod_authn_file)¶
A file which contains a line per user identification. Each line contains the username, realm, and (MD5 or SHA-256) hash value separated by colons. The hash value is the checksum of a string concatenating the username, realm, and password, separated by colons, e.g.: with user=agent007
realm='download area'
pass='secret'
, the hash is of the string agent007:download area:secret
(Note: prefer printf
over echo
to avoid accidentally hashing a newline along with the string.)
You can use htdigest from the apache distribution to manage an htdigest file.$ htdigest lighttpd.user.htdigest 'download area' agent007
Option for MD5: if you provide $user
, $realm
, and $pass
:$ printf "%s:%s:%s\n" "$user" "$realm" "$(printf "%s" "$user:$realm:$pass" | md5sum | awk '{print $1}')"
agent007:download area:8364d0044ef57b3defcfa141e8f77b65
Option for SHA-256: if you provide $user
, $realm
, and $pass
:$ printf "%s:%s:%s\n" "$user" "$realm" "$(printf "%s" "$user:$realm:$pass" | sha256sum | awk '{print $1}')"
agent007:download area:a8cad3bc8ff829e27b76aeffc1d722d45c4bcb43876515d56688f5bdd92a829e
For another option, see user-contributed script lightdigest.
ldap (mod_authn_ldap)¶
The ldap backend performs the following steps to authenticate a user
- Init the LDAP connection
- Set Protocol version to LDAPv3
- If StartTLS if configured -> Configure CA certificate if supplied
- If StartTLS if configured -> Activate TLS using StartTLS
- If Bind DN is included -> Simple bind with Bind-DN and Bind-Password
- If there is no Bind-DN -> Simple bind anonymously
- Try up to two times a SUBTREE search of the base-DN with the filter applied.
- Retrieve the DN of the user matching the filter.
- Finally, re-init the connection (following the steps above), this time using the DN found using the filter and the password supplied by the user.
If all 9 steps are performed without any error the user is authenticated.
gssapi (mod_authn_gssapi) (kerberos5) (since lighttpd 1.4.42)¶
The gssapi backend authenticates the user against Kerberos5 infrastructure
mysql (mod_authn_mysql) (since lighttpd 1.4.42)¶
The mysql backend authenticates the user against MySQL/MariaDB infrastructure
pam (mod_authn_pam) (since lighttpd 1.4.51)¶
The pam backend authenticates the user against PAM infrastructure, and requires that lighttpd be run as root. Using mod_authn_pam is not recommended except for special-purpose systems where using PAM is required for integration with the existing primary authentication mechanism for the system, e.g. using PAM which is configured with a RADIUS backend to PAM. In general, the system password database should not be directly used by web services if the user accounts have other privileges or access beyond the intended limited access required by the web service.auth.backend.pam.opts = ("service" => "http")
# (default)
/etc/pam.d/http
(example)
auth sufficient pam_unix.so nodelay try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account required pam_access.so accessfile=/etc/security/http.access.conf
To create
/etc/security/http.access.conf
to define user/group access, see pam_access
sasl (mod_authn_sasl) (since lighttpd 1.4.48)¶
The sasl backend authenticates the user against SASL infrastructure
Configuration template¶
After setting up the backend, edit the authentication configuration file to reflect your backend selected. The following is a configuration template.
################ ## type of backend # plain, htpasswd, htdigest (mod_authn_file) # ldap (mod_authn_ldap) # gssapi (mod_authn_gssapi) # mysql (mod_authn_mysql) # pam (mod_authn_pam) # sasl (mod_authn_sasl) ################ ## for plain, htpasswd, htdigest (mod_authn_file) server.modules += ( "mod_authn_file" ) ## for plain filename of the password storage for plain auth.backend = "plain" auth.backend.plain.userfile = "/path/to/lighttpd-plain.user" ## for htpasswd auth.backend = "htpasswd" auth.backend.htpasswd.userfile = "/path/to/lighttpd-htpasswd.user" ## for htdigest auth.backend = "htdigest" auth.backend.htdigest.userfile = "/path/to/lighttpd-htdigest.user" ################ ## for ldap # the $ in auth.backend.ldap.filter is replaced by the # 'username' from the login dialog # since lighttpd 1.4.46, '?' can be used as placeholder # instead of '$', e.g. "(uid=?)" server.modules += ( "mod_authn_ldap" ) auth.backend = "ldap" auth.backend.ldap.hostname = "localhost" auth.backend.ldap.base-dn = "dc=my-domain,dc=com" auth.backend.ldap.filter = "(uid=$)" # if enabled, startTLS needs a valid (base64-encoded) CA # certificate unless the certificate has been stored # in a c_hashed directory and referenced in ldap.conf auth.backend.ldap.starttls = "enable" auth.backend.ldap.ca-file = "/etc/CAcertificate.pem" # If you need to use a custom bind to access the server auth.backend.ldap.bind-dn = "uid=admin,dc=my-domain,dc=com" auth.backend.ldap.bind-pw = "mysecret" # If you want to allow empty passwords # "disable" for requiring passwords, "enable" for allowing empty passwords auth.backend.ldap.allow-empty-pw = "disable" # LDAP group (https://redmine.lighttpd.net/issues/1817) #auth.backend.ldap.groupmember = "mygroup" ################ ## for gssapi server.modules += ( "mod_authn_gssapi" ) auth.backend = "gssapi" auth.backend.gssapi.keytab = "/path/to/lighttpd.keytab" auth.backend.gssapi.principal = "myhost" ################ ## for mysql server.modules += ( "mod_authn_mysql" ) auth.backend = "mysql" #auth.backend.mysql.host = "" #auth.backend.mysql.user = "" #auth.backend.mysql.pass = "" #auth.backend.mysql.db = "" #auth.backend.mysql.port = "" #auth.backend.mysql.socket = "" auth.backend.mysql.users_table = "mysql_users_table" #auth.backend.mysql.col_user = "user" #auth.backend.mysql.col_pass = "password" #auth.backend.mysql.col_realm = "realm" # defaults above result in query: SELECT password FROM mysql_users_table WHERE user='%s' AND realm='%s' ################ ## for pam server.modules += ( "mod_authn_pam" ) auth.backend = "pam" #auth.backend.pam.opts = ( "service" => "http" ) # default "http" ################ ## for sasl server.modules += ( "mod_authn_sasl" ) auth.backend = "sasl" #auth.backend.sasl.opts = ( "service" => "http", # default "http" # "fqdn" => "hostname", # default current host # "pwcheck_method" => "saslauthd", # default "saslauthd", else one of "saslauthd","auxprop","sasldb" # "sasldb_path" => "path-to-db" # if needed # ) ################ # check REMOTE_USER (if set) against require rules prior to applying auth.backend # REMOTE_USER might be set by another module, e.g. mod_openssl client cert verification # and REMOTE_USER configured with ssl.verifyclient.username) # (since lighttpd 1.4.46) #auth.extern-authn = "enable" ################ ################ ## restrictions # set restrictions: # # auth.require = # ( <url-path-prefix> => # ( "method" => "digest"/"basic", # "realm" => <realm>, # "require" => "user=<username>" ) # ) # # <url-path-prefix> is url-path prefix to match, e.g. "/" # # <algorithm> is the digest algorithm to use with "method" => "digest" # The default digest algorithm MD5 is no longer considered secure. # lighttpd can be configured to use SHA-256 (since lighttpd 1.4.54) # If not specified, MD5 is used for backwards compatibility. # # "algorithm" => "SHA-256" (since 1.4.54) # # <realm> is a string to display in the dialog # presented to the user and is also used for the # digest-algorithm and has to match the realm in the # htdigest file (if used) # # "require" => "valid-user" will authorize any authenticated user # server.modules += ( "mod_auth" ) auth.require = ( "/download/" => ( # method must be either basic or digest "method" => "digest", "algorithm" => "SHA-256", "realm" => "download archiv", "require" => "user=agent007|user=agent008" ), "/server-info" => ( # limit access to server information "method" => "digest", "algorithm" => "SHA-256", "realm" => "download archiv", "require" => "valid-user" ) "/protected-folder/" => ( # "method" => "digest", "algorithm" => "SHA-256", "realm" => "download archiv", "require" => "valid-user" ) ) # Or, using regular expressions: $HTTP["url"] =~ "^/download|^/server-info" { auth.require = ( "" => ( "method" => "digest", "algorithm" => "SHA-256", "realm" => "download archiv", "require" => "user=agent007|user=agent008" ) ) } # Or, if *only* using certificate based authentication along with mod_openssl configured to require client certificates # # client side authentification # ssl.verifyclient.activate = "enable" # ssl.verifyclient.enforce = "enable" # # this line instructs client cert CN value to be extracted # # for use in require user=agent007... in auth.require # ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" auth.require = ( "" => ( "method" => "extern", "realm" => "certificate", "require" => "user=agent007|user=agent008" ) )
Warning¶
mod_rewrite rules (url.rewrite*
, not url.rewrite-if-not-file
) are always executed before everything else, and the request gets restarted. So your mod_auth
configuration must match the rewritten urls!
Limitations¶
The implementation of digest method is compliant with RFC7616 since lighttpd 1.4.41 (#1844))
Excerpt from https://www.rfc-editor.org/rfc/rfc7616.txt Section 5.13:
The bottom line is that any compliant implementation will be
relatively weak by cryptographic standards, but any compliant
implementation will be far superior to Basic Authentication.
Even so, there are limitations and improvements that can be made.
- The implementation of digest method does not prevent some types of replay attacks. (Improved in lighttpd 1.4.56 #2976)
- Digest algorithm="md5-sess" is not correctly implemented in lighttpd, and probably never will be, and so its use is not recommend. (#806) Apache mod_auth_digest also does not implement algorithm="md5-sess".
- LDAP authentication only allows alphanumeric uid's that do not contain punctuations. i.e.) john.doe will come up as "ldap: invalid character (a-zA-Z0-9 allowed) in username: john.doe" (This issue appears to be solved since r2526. See issue #1941) (Fixed in lighttpd 1.4.46)
- As of 1.4.19 the group field inside the require directive is not yet implemented. So auth.backend.plain.groupfile is of no use at this moment. (Note: group support for LDAP is available since lighttpd 1.4.46 (#1817))
- When loaded together with
mod_fastcgi
,mod_auth
must be loaded beforemod_fastcgi
. Or else users will experience long delays when login in and sysadmins will probably not find out the source of the problem due to the lack of meaningful error messages.
See Also¶
lightdigest¶
user-contributed script to manage htdigest files
#!/bin/sh export PATH="/bin:/usr/bin:/usr/sbin:$PATH" # when input ctrl-c, remove lockfile and exit trap '[ $lockstart -eq 1 ] && unlock $pfile && exit 0 || exit 0' INT pfile="/etc/lighttpd/conf.d/lighttpd.user" lockstart=0 remove=0 errmsg() { echo "$1" > /dev/stderr } user_check() { check_user=$1 grep "^${check_user}:" ${pfile} >& /dev/null return $? } lock() { lockfile="$1" lockfile="${lockfile}.lock" [ -f "${lockfile}" ] && { errmsg "WARNING: lock file ${lockfile} is already exists" errmsg " Wait minites for end of previous working ..." } while [ -f "${lockfile}" ]; do echo >& /dev/null ; done touch ${lockfile} lockstart=1 } unlock() { lockfile="$1" lockfile="${lockfile}.lock" [ -f "${lockfile}" ] && rm -f ${lockfile} && lockstart=0 } usage() { errmsg errmsg "lightdigest: lighttpd htdigest password generation program" errmsg "Scripted by JoungKyun.Kim <http://oops.org>" errmsg errmsg "Usage: $0 -[hd] -u user -p pass -r realm [-f password_file]" errmsg "Options:" errmsg " -h print this help messages" errmsg " -u user username" errmsg " -p pass password" errmsg " -r realm realm name" errmsg " -f filename password file [default: /etc/lighttpd/conf.d/lighttpd.user" errmsg " -d remove user" errmsg [ $lockstart -eq 1 ] && rm -f ${pfile}.lock exit 1 } opts=$(getopt df:hp:r:u: $*) [ $? != 0 ] && usage set -- ${opts} for i do case "$i" in -d) remove=1; shift;; -f) pfile="$2"; shift; shift;; -p) pass="$2"; shift; shift;; -r) realm="$2"; shift; shift;; -u) user="$2"; shift; shift;; --) shift; break; esac done #echo $user #echo $realm #echo $pass #echo $pfile #echo $remove [ -z "$user" ] && errmsg "ERROR: User is none!!" && usage [ ${remove} -eq 0 -a -z "${realm}" ] && errmsg "ERROR: Realm is none!!" && usage if [ -z "${pass}" -a ${remove} -eq 0 ]; then echo -n "Input new password : " read newpass echo -n "Reinput password for confirm : " read renewpass if [ "${newpass}" != "${renewpass}" ]; then errmsg "ERROR: Password is not match" exit 1 fi pass=${newpass} fi lock ${pfile} if [ ${remove} -eq 0 ]; then # User Add Mode hash=$(echo -n "${user}:${realm}:${pass}" | md5sum | cut -b -32) user_check ${user} already=$? [ -f "${pfile}" ] && cp -af ${pfile} ${pfile}.bak if [ ${already} -eq 0 ]; then # already exists perl -pi -e "s/^${user}:.*$/${user}:${realm}:${hash}/g" ${pfile} else # add new user echo "${user}:${realm}:${hash}" >> ${pfile} fi else # User Remove Mode tmp_htdigest="/tmp/lighttpd-htdiges.tmp.$$" cp -af ${pfile} ${pfile}.bak grep -v "^${user}:" ${pfile} > ${tmp_htdigest} mv -f ${tmp_htdigest} ${pfile} fi unlock ${pfile} exit 0
To use it (don't use realm value! getopt of some bash version has bug.) :
# if you add or change $ lightdigest -u USERNAME -r REALM_NAME -f PASSWORD_FILE_PATH # if you want to remove use $ lightdigest -d -u USERNAME
Updated by gstrauss over 4 years ago · 91 revisions