mod_auth_digest.html.en revision 07dc96d063d49299da433f84b5c5681da9bbdf68
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>mod_auth_digest - Apache HTTP Server</title>
<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
</script>
<body>
<div id="page-header">
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_auth_digest</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="/en/mod/mod_auth_digest.html" title="English"> en </a> |
<a href="/fr/mod/mod_auth_digest.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
<a href="/ko/mod/mod_auth_digest.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>User authentication using MD5
Digest Authentication</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>auth_digest_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_auth_digest.c</td></tr></table>
<h3>Summary</h3>
<p>This module implements HTTP Digest Authentication
provides an alternative to <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> where the
password is not transmitted as cleartext. However, this does
<strong>not</strong> lead to a significant security advantage over
basic authentication. On the other hand, the password storage on the
server is much less secure with digest authentication than with
basic authentication. Therefore, using basic auth and encrypting the
whole connection using <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> is a much better
alternative.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="/images/down.gif" /> <a href="#authdigestalgorithm">AuthDigestAlgorithm</a></li>
<li><img alt="" src="/images/down.gif" /> <a href="#authdigestnonceformat">AuthDigestNonceFormat</a></li>
<li><img alt="" src="/images/down.gif" /> <a href="#authdigestnoncelifetime">AuthDigestNonceLifetime</a></li>
<li><img alt="" src="/images/down.gif" /> <a href="#authdigestshmemsize">AuthDigestShmemSize</a></li>
</ul>
<h3>Topics</h3>
<ul id="topics">
</ul><h3>See also</h3>
<ul class="seealso">
</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="section">
<h2><a name="using" id="using">Using Digest Authentication</a></h2>
<p>To use MD5 Digest authentication, simply
change the normal <code>AuthType Basic</code> and
<code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code>
to <code>AuthType Digest</code> and
<code class="directive"><a href="#authdigestprovider">AuthDigestProvider</a></code>,
when setting up authentication, then add a
<code class="directive"><a href="#authdigestdomain">AuthDigestDomain</a></code> directive containing at least the root
URI(s) for this protection space.</p>
<p>Appropriate user (text) files can be created using the
<div class="example"><h3>Example:</h3><pre class="prettyprint lang-config">
<Location /private/>
AuthType Digest
AuthName "private area"
AuthDigestDomain /private/ http://mirror.my.dom/private2/
AuthDigestProvider file
Require valid-user
</Location>
</pre>
</div>
<div class="note"><h3>Note</h3>
<p>Digest authentication was intended to be more secure than basic
authentication, but no longer fulfills that design goal. A
man-in-the-middle attacker can trivially force the browser to downgrade
to basic authentication. And even a passive eavesdropper can brute-force
the password using today's graphics hardware, because the hashing
algorithm used by digest authentication is too fast. Another problem is
that the storage of the passwords on the server is insecure. The contents
of a stolen htdigest file can be used directly for digest authentication.
Therefore using <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> to encrypt the whole connection is
strongly recommended.</p>
<p><code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code> only works properly on platforms
where APR supports shared memory.</p>
</div>
</div>
<div class="directive-section"><h2><a name="AuthDigestAlgorithm" id="AuthDigestAlgorithm">AuthDigestAlgorithm</a> <a name="authdigestalgorithm" id="authdigestalgorithm">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Selects the algorithm used to calculate the challenge and
response hashes in digest authentication</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestAlgorithm MD5|MD5-sess</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestAlgorithm MD5</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestAlgorithm</code> directive
selects the algorithm used to calculate the challenge and response
hashes.</p>
<div class="note">
<code>MD5-sess</code> is not correctly implemented yet.
</div>
</div>
<div class="directive-section"><h2><a name="AuthDigestDomain" id="AuthDigestDomain">AuthDigestDomain</a> <a name="authdigestdomain" id="authdigestdomain">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>URIs that are in the same protection space for digest
authentication</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestDomain <var>URI</var> [<var>URI</var>] ...</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestDomain</code> directive allows
you to specify one or more URIs which are in the same protection
The specified URIs are prefixes; the client will assume
that all URIs "below" these are also protected by the same
including a scheme, host, port, etc.) or relative URIs.</p>
<p>This directive <em>should</em> always be specified and
contain at least the (set of) root URI(s) for this space.
Omitting to do so will cause the client to send the
Authorization header for <em>every request</em> sent to this
server. Apart from increasing the size of the request, it may
also have a detrimental effect on performance if <code class="directive"><a href="#authdigestnccheck">AuthDigestNcCheck</a></code> is on.</p>
<p>The URIs specified can also point to different servers, in
which case clients (which understand this) will then share
prompting the user each time. </p>
</div>
<div class="directive-section"><h2><a name="AuthDigestNcCheck" id="AuthDigestNcCheck">AuthDigestNcCheck</a> <a name="authdigestnccheck" id="authdigestnccheck">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enables or disables checking of the nonce-count sent by the
server</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestNcCheck On|Off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestNcCheck Off</code></td></tr>
</table>
<div class="note">
Not implemented yet.
</div>
</div>
<div class="directive-section"><h2><a name="AuthDigestNonceFormat" id="AuthDigestNonceFormat">AuthDigestNonceFormat</a> <a name="authdigestnonceformat" id="authdigestnonceformat">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines how the nonce is generated</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestNonceFormat <var>format</var></code></td></tr>
</table>
<div class="note">Not implemented yet.</div>
</div>
<div class="directive-section"><h2><a name="AuthDigestNonceLifetime" id="AuthDigestNonceLifetime">AuthDigestNonceLifetime</a> <a name="authdigestnoncelifetime" id="authdigestnoncelifetime">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>How long the server nonce is valid</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestNonceLifetime <var>seconds</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestNonceLifetime 300</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestNonceLifetime</code> directive
controls how long the server nonce is valid. When the client
contacts the server using an expired nonce the server will send
back a 401 with <code>stale=true</code>. If <var>seconds</var> is
greater than 0 then it specifies the amount of time for which the
nonce is valid; this should probably never be set to less than 10
seconds. If <var>seconds</var> is less than 0 then the nonce never
expires.
</p>
</div>
<div class="directive-section"><h2><a name="AuthDigestProvider" id="AuthDigestProvider">AuthDigestProvider</a> <a name="authdigestprovider" id="authdigestprovider">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the authentication provider(s) for this location</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestProvider <var>provider-name</var>
[<var>provider-name</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestProvider file</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestProvider</code> directive sets
which provider is used to authenticate the users for this location.
The default <code>file</code> provider is implemented
by the <code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code> module. Make sure
that the chosen provider module is present in the server.</p>
<p>See <code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code>, <code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code>,
<code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> and <code class="module"><a href="/mod/mod_authn_socache.html">mod_authn_socache</a></code>
for providers.</p>
</div>
<div class="directive-section"><h2><a name="AuthDigestQop" id="AuthDigestQop">AuthDigestQop</a> <a name="authdigestqop" id="authdigestqop">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines the quality-of-protection to use in digest
authentication</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestQop none|auth|auth-int [auth|auth-int]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestQop auth</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestQop</code> directive determines
the <dfn>quality-of-protection</dfn> to use. <code>auth</code> will
authentication plus integrity checking (an MD5 hash of the entity
is also computed and checked); <code>none</code> will cause the module
to use the old RFC-2069 digest algorithm (which does not include
integrity checking). Both <code>auth</code> and <code>auth-int</code> may
be specified, in which the case the browser will choose which of
these to use. <code>none</code> should only be used if the browser for
some reason does not like the challenge it receives otherwise.</p>
<div class="note">
<code>auth-int</code> is not implemented yet.
</div>
</div>
<div class="directive-section"><h2><a name="AuthDigestShmemSize" id="AuthDigestShmemSize">AuthDigestShmemSize</a> <a name="authdigestshmemsize" id="authdigestshmemsize">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The amount of shared memory to allocate for keeping track
of clients</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthDigestShmemSize <var>size</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthDigestShmemSize 1000</code></td></tr>
</table>
<p>The <code class="directive">AuthDigestShmemSize</code> directive defines
the amount of shared memory, that will be allocated at the server
startup for keeping track of clients. Note that the shared memory
segment cannot be set less than the space that is necessary for
tracking at least <em>one</em> client. This value is dependent on your
system. If you want to find out the exact value, you may simply
set <code class="directive">AuthDigestShmemSize</code> to the value of
<code>0</code> and read the error message after trying to start the
server.</p>
<p>The <var>size</var> is normally expressed in Bytes, but you
may follow the number with a <code>K</code> or an <code>M</code> to
express your value as KBytes or MBytes. For example, the following
directives are all equivalent:</p>
<pre class="prettyprint lang-config">
AuthDigestShmemSize 1048576
AuthDigestShmemSize 1024K
AuthDigestShmemSize 1M
</pre>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="/en/mod/mod_auth_digest.html" title="English"> en </a> |
<a href="/fr/mod/mod_auth_digest.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
<a href="/ko/mod/mod_auth_digest.html" hreflang="ko" rel="alternate" title="Korean"> ko </a></p>
</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html';
(function(w, d) {
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
d.write('<div id="comments_thread"><\/div>');
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
}
else {
d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
}
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
}
//--><!]]></script>
</body></html>