You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
196 lines
4.2 KiB
Plaintext
196 lines
4.2 KiB
Plaintext
19 years ago
|
======================
|
||
|
|
Using Authentification
|
||
|
|
======================
|
||
|
|
|
||
|
|
----------------
|
||
|
|
Module: mod_auth
|
||
|
|
----------------
|
||
|
|
|
||
|
|
:Author: Jan Kneschke
|
||
|
18 years ago
|
:Date: $Date$
|
||
|
|
:Revision: $Revision$
|
||
|
19 years ago
|
|
||
|
|
:abstract:
|
||
|
|
The auth module provides ...
|
||
|
|
|
||
|
|
.. meta::
|
||
|
18 years ago
|
:keywords: lighttpd, authentication
|
||
|
19 years ago
|
|
||
|
|
.. contents:: Table of Contents
|
||
|
|
|
||
|
|
Description
|
||
|
|
===========
|
||
|
|
|
||
|
|
Supported Methods
|
||
|
|
-----------------
|
||
|
|
|
||
|
18 years ago
|
lighttpd supportes both authentication method described by
|
||
|
19 years ago
|
RFC 2617:
|
||
|
|
|
||
|
|
basic
|
||
|
|
`````
|
||
|
|
|
||
|
|
The Basic method transfers the username and the password in
|
||
|
|
cleartext over the network (base64 encoded) and might result
|
||
|
|
in security problems if not used in conjunction with a crypted
|
||
|
|
channel between client and server.
|
||
|
|
|
||
|
|
digest
|
||
|
|
``````
|
||
|
|
|
||
|
|
The Digest method only transfers a hashed value over the
|
||
|
18 years ago
|
network which performs a lot of work to harden the
|
||
|
|
authentication process in insecure networks.
|
||
|
19 years ago
|
|
||
|
|
Backends
|
||
|
|
--------
|
||
|
|
|
||
|
|
Depending on the method lighttpd provides various way to store
|
||
|
18 years ago
|
the credentials used for the authentication.
|
||
|
19 years ago
|
|
||
|
|
for basic auth:
|
||
|
|
|
||
|
|
- plain_
|
||
|
|
- htpasswd_ (crypt only)
|
||
|
|
- htdigest_
|
||
|
|
- ldap_
|
||
|
|
|
||
|
|
for digest auth:
|
||
|
|
|
||
|
|
- plain_
|
||
|
|
- htdigest_
|
||
|
|
|
||
|
|
|
||
|
|
plain
|
||
|
|
`````
|
||
|
|
|
||
|
|
A file which contains username and the cleartext password
|
||
|
|
seperated by a colon. Each entry is terminated by a single
|
||
|
|
newline.::
|
||
|
|
|
||
|
|
e.g.:
|
||
|
|
agent007:secret
|
||
|
|
|
||
|
|
|
||
|
|
htpasswd
|
||
|
|
````````
|
||
|
|
|
||
|
|
A file which contains username and the crypt()'ed password
|
||
|
|
seperated by a colon. Each entry is terminated by a single
|
||
|
|
newline. ::
|
||
|
|
|
||
|
|
e.g.:
|
||
|
|
agent007:XWY5JwrAVBXsQ
|
||
|
|
|
||
|
|
You can use htpasswd from the apache distribution to manage
|
||
|
|
those files. ::
|
||
|
|
|
||
|
|
$ htpasswd lighttpd.user.digest agent007
|
||
|
|
|
||
|
|
|
||
|
|
htdigest
|
||
|
|
````````
|
||
|
|
|
||
|
|
A file which contains username, realm and the md5()'ed
|
||
|
|
password seperated by a colon. Each entry is terminated
|
||
|
|
by a single newline. ::
|
||
|
|
|
||
|
|
e.g.:
|
||
|
|
agent007:download area:8364d0044ef57b3defcfa141e8f77b65
|
||
|
|
|
||
|
|
You can use htdigest from the apache distribution to manage
|
||
|
|
those files. ::
|
||
|
|
|
||
|
|
$ htdigest src/lighttpd.user.digest 'download area' agent007
|
||
|
|
|
||
|
|
Using md5sum can also generate the password-hash: ::
|
||
|
|
|
||
|
|
$ echo -n "agent007:download area:secret" | md5sum -
|
||
|
|
8364d0044ef57b3defcfa141e8f77b65 -
|
||
|
|
|
||
|
|
|
||
|
|
ldap
|
||
|
|
````
|
||
|
|
|
||
|
18 years ago
|
the ldap backend is basically performing the following steps
|
||
|
19 years ago
|
to authenticate a user
|
||
|
|
|
||
|
|
1. connect anonymously (at plugin init)
|
||
|
|
2. get DN for filter = username
|
||
|
|
3. auth against ldap server
|
||
|
|
4. disconnect
|
||
|
|
|
||
|
18 years ago
|
if all 4 steps are performed without any error the user is
|
||
|
19 years ago
|
authenticated
|
||
|
|
|
||
|
|
Configuration
|
||
|
|
=============
|
||
|
|
|
||
|
|
::
|
||
|
|
|
||
|
|
## debugging
|
||
|
|
# 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging
|
||
|
|
auth.debug = 0
|
||
|
|
|
||
|
|
## type of backend
|
||
|
|
# plain, htpasswd, ldap or htdigest
|
||
|
|
auth.backend = "htpasswd"
|
||
|
|
|
||
|
|
# filename of the password storage for
|
||
|
|
# plain
|
||
|
|
auth.backend.plain.userfile = "lighttpd-plain.user"
|
||
|
|
|
||
|
|
## for htpasswd
|
||
|
|
auth.backend.htpasswd.userfile = "lighttpd-htpasswd.user"
|
||
|
|
|
||
|
|
## for htdigest
|
||
|
|
auth.backend.htdigest.userfile = "lighttpd-htdigest.user"
|
||
|
|
|
||
|
|
## for ldap
|
||
|
|
# the $ in auth.backend.ldap.filter is replaced by the
|
||
|
|
# 'username' from the login dialog
|
||
|
|
auth.backend.ldap.hostname = "localhost"
|
||
|
|
auth.backend.ldap.base-dn = "dc=my-domain,dc=com"
|
||
|
|
auth.backend.ldap.filter = "(uid=$)"
|
||
|
18 years ago
|
# if enabled, startTLS needs a valid (base64-encoded) CA
|
||
|
|
# certificate
|
||
|
|
auth.backend.ldap.starttls = "enable"
|
||
|
|
auth.backend.ldap.cafile = "/etc/CAcertificate.pem"
|
||
|
19 years ago
|
|
||
|
|
## restrictions
|
||
|
|
# set restrictions:
|
||
|
|
#
|
||
|
|
# ( <left-part-of-the-url> =>
|
||
|
|
# ( "method" => "digest"/"basic",
|
||
|
|
# "realm" => <realm>,
|
||
|
|
# "require" => "user=<username>" )
|
||
|
|
# )
|
||
|
|
#
|
||
|
18 years ago
|
# <realm> is a string to display in the dialog
|
||
|
19 years ago
|
# presented to the user and is also used for the
|
||
|
|
# digest-algorithm and has to match the realm in the
|
||
|
|
# htdigest file (if used)
|
||
|
|
#
|
||
|
|
|
||
|
|
auth.require = ( "/download/" =>
|
||
|
|
(
|
||
|
|
"method" => "digest",
|
||
|
|
"realm" => "download archiv",
|
||
|
|
"require" => "user=agent007|user=agent008"
|
||
|
|
),
|
||
|
|
"/server-info" =>
|
||
|
|
(
|
||
|
|
"method" => "digest",
|
||
|
|
"realm" => "download archiv",
|
||
|
|
"require" => "user=jan"
|
||
|
|
)
|
||
|
|
)
|
||
|
|
|
||
|
18 years ago
|
Limitations
|
||
|
19 years ago
|
============
|
||
|
|
|
||
|
|
- The implementation of digest method is currently not
|
||
|
18 years ago
|
completely compliant with the standard as it still allows
|
||
|
19 years ago
|
a replay attack.
|
||
|
|
|