1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 3 4<html xmlns="http://www.w3.org/1999/xhtml"> 5 <head> 6 <title>Authentication, Authorization, and Access Control</title> 7 </head> 8 9 <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" 10 vlink="#000080" alink="#FF0000"> 11 <div align="CENTER"> 12 <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> 13 14 <h3>Apache HTTP Server Version 1.3</h3> 15 </div> 16 17 18 19<h1 align="center">Authentication, Authorization, and Access 20Control</h1> 21 22 <a name="TOC"></a> 23 24 <ul> 25 <li><a href="#intro">Introduction</a></li> 26 <li> 27 <a href="#basic">Basic authentication</a> 28 29 <ul> 30 <li><a href="#basicworks">How basic 31 authentication works</a></li> 32 33 <li> 34 <a href="#basicconfig">Configuration: 35 Protecting content with basic authentication</a> 36 37 </li> 38 39 <li> 40 <a href="#basicfaq">Frequently asked 41 questions about basic auth</a> 42 </li> 43 44 <li><a href="#basiccaveat">Security 45 caveat</a></li> 46 </ul> 47 <br /> 48 </li> 49 50 <li> 51 <a href="#digest">Digest authentication</a> 52 53 <ul> 54 <li><a href="#digestworks">How digest auth 55 works</a></li> 56 57 <li> 58 <a href="#digestconfig">Configuration: 59 Protecting content with digest authentication</a> 60 </li> 61 62 <li><a href="#digestcaveat">Caveats</a></li> 63 </ul> 64 <br /> 65 </li> 66 67 <li> 68 <a href="#database">Database authentication 69 modules</a> 70 71 <ul> 72 <li><a href="#modauthdb">mod_auth_db and 73 mod_auth_dbm</a></li> 74 75 <li><a href="#dbfiles">Berkeley DB files</a></li> 76 77 <li><a href="#installauthdb">Installing mod_auth_db</a></li> 78 79 <li> 80 <a href="#authdbconfig">Protecting a 81 directory with mod_auth_db</a> 82 </li> 83 </ul> 84 <br /> 85 </li> 86 87 <li> 88 <a href="#access">Access control</a> 89 90 <ul> 91 <li><a href="#allowdeny">Allow and Deny</a></li> 92 93 <li><a href="#satisfy">Satisfy</a></li> 94 </ul> 95 <br /> 96 </li> 97 98 <li><a href="#summary">Summary</a></li> 99 </ul> 100 <!--End of Table of Child-Links--> 101 <hr /> 102 103 <h1><a name="auth"></a><br /> 104 Authentication, Authorization, and Access Control</h1> 105 106 <h1><a name="intro">Introduction</a></h1> 107 108 <p>Apache has three distinct ways of dealing with the question 109 of whether a particular request for a resource will result in 110 that resource actually be returned. These criteria are called 111 <i>Authorization</i>, <i>Authentication</i>, and <i>Access 112 control</i>.</p> 113 114 <p>Authentication is any process by which you verify that 115 someone is who they claim they are. This usually involves a 116 username and a password, but can include any other method of 117 demonstrating identity, such as a smart card, retina scan, 118 voice recognition, or fingerprints. Authentication is 119 equivalent to showing your drivers license at the ticket 120 counter at the airport.</p> 121 122 <p>Authorization is finding out if the person, once identified, 123 is permitted to have the resource. This is usually determined 124 by finding out if that person is a part of a particular group, 125 if that person has paid admission, or has a particular level of 126 security clearance. Authorization is equivalent to checking the 127 guest list at an exclusive party, or checking for your ticket 128 when you go to the opera.</p> 129 130 <p>Finally, access control is a much more general way of 131 talking about controlling access to a web resource. Access can 132 be granted or denied based on a wide variety of criteria, such 133 as the network address of the client, the time of day, the 134 phase of the moon, or the browser which the visitor is using. 135 Access control is analogous to locking the gate at closing 136 time, or only letting people onto the ride who are more than 48 137 inches tall - it's controlling entrance by some arbitrary 138 condition which may or may not have anything to do with the 139 attributes of the particular visitor.</p> 140 141 <p>Because these three techniques are so closely related in 142 most real applications, it is difficult to talk about them 143 separate from one another. In particular, authentication and 144 authorization are, in most actual implementations, 145 inextricable.</p> 146 147 <p>If you have information on your web site that is sensitive, 148 or intended for only a small group of people, the techniques in 149 this tutorial will help you make sure that the people that see 150 those pages are the people that you wanted to see them.</p> 151 152 <h1><a name="basic"></a>Basic authentication</h1> 153 154 <p>As the name implies, basic authentication is the simplest 155 method of authentication, and for a long time was the most 156 common authentication method used. However, other methods of 157 authentication have recently passed basic in common usage, due 158 to usability issues that will be discussed in a minute.</p> 159 160 <h2><a name="basicworks"></a><br /> 161 How basic authentication works</h2> 162 163 <p>When a particular resource has been protected using basic 164 authentication, Apache sends a <tt>401 Authentication 165 Required</tt> header with the response to the request, in order 166 to notify the client that user credentials must be supplied in 167 order for the resource to be returned as requested.</p> 168 169 <p>Upon receiving a <tt>401</tt> response header, the client's 170 browser, if it supports basic authentication, will ask the user 171 to supply a username and password to be sent to the server. If 172 you are using a graphical browser, such as Netscape or Internet 173 Explorer, what you will see is a box which pops up and gives 174 you a place to type in your username and password, to be sent 175 back to the server. If the username is in the approved list, 176 and if the password supplied is correct, the resource will be 177 returned to the client.</p> 178 179 <p>Because the HTTP protocol is stateless, each request will be 180 treated in the same way, even though they are from the same 181 client. That is, every resource which is requested from the 182 server will have to supply authentication credentials over 183 again in order to receive the resource.</p> 184 185 <p>Fortunately, the browser takes care of the details here, so 186 that you only have to type in your username and password one 187 time per browser session - that is, you might have to type it 188 in again the next time you open up your browser and visit the 189 same web site.</p> 190 191 <p>Along with the <tt>401</tt> response, certain other 192 information will be passed back to the client. In particular, 193 it sends a name which is associated with the protected area of 194 the web site. This is called the <i>realm</i>, or just the 195 authentication name. The client 196 browser caches the username and password that you supplied, and 197 stores it along with the authentication realm, so that if other 198 resources are requested from the same realm, the same username 199 and password can be returned to authenticate that request 200 without requiring the user to type them in again. This caching 201 is usually just for the current browser session, but some 202 browsers allow you to store them permanently, so that you never 203 have to type in your password again.</p> 204 205 <p>The authentication name, or realm, will appear in the pop-up 206 box, in order to identify what the username and password are 207 being requested for.</p> 208 209 <h2><a name="basicconfig"></a> 210 Configuration: Protecting content with basic 211 authentication</h2> 212 213 <p>There are two configuration steps which you must complete in 214 order to protect a resource using basic authentication. Or 215 three, depending on what you are trying to do.</p> 216 217 <ol> 218 <li>Create a password file</li> 219 220 <li>Set the configuration to use this password file</li> 221 222 <li>Optionally, create a group file</li> 223 </ol> 224 225 <h3><a name="htpasswd"></a><br /> 226 Create a password file</h3> 227 228 <p>In order to determine whether a particular username/password 229 combination is valid, the username and password supplied by the 230 user will need to be compared to some authoritative listing of 231 usernames and password. This is the password file, which you 232 will need to create on the server side, and populate with valid 233 users and their passwords.</p> 234 235 <p>Because this file contains sensitive information, it should 236 be stored outside of the document directory. Although, as you 237 will see in a moment, the passwords are encrypted in the file, 238 if a cracker were to gain access to the file, it would be an 239 aid in their attempt to figure out the passwords. And, because 240 people tend to be sloppy with the passwords that they choose, 241 and use the same password for web site authentication as for 242 their bank account, this potentially be a very serious breach 243 of security, even if the content on your web site is not 244 particularly sensitive.</p> 245 246 <p><b>Caution:</b> Encourage your users to use a different 247 password for your web site than for other more essential 248 things. For example, many people tend to use two passwords - 249 one for all of their extremely important things, such as the 250 login to their desktop computer, and for their bank account, 251 and another for less sensitive things, the compromise of which 252 would be less serious.</p> 253 254 <p>To create the password file, use the <tt>htpasswd</tt> 255 utility that came with Apache. This will be located in the 256 <tt>bin</tt> directory of wherever you installed Apache. For 257 example, it will probably be located at 258 <tt>/usr/local/apache/bin/htpasswd</tt> if you installed Apache 259 from source.</p> 260 261 <p>To create the file, type:</p> 262<pre> 263htpasswd -c /usr/local/apache/passwd/passwords username 264</pre> 265 266 <p><tt>htpasswd</tt> will ask you for the password, and then 267 ask you to type it again to confirm it:</p> 268<pre> 269# htpasswd -c /usr/local/apache/passwd/passwords rbowen 270New password: mypassword 271Re-type new password: mypassword 272Adding password for user rbowen 273</pre> 274 275 <p>Note that in the example shown, a password file is being 276 created containing a user called <tt>rbowen</tt>, and this 277 password file is being placed in the location 278 <tt>/usr/local/apache/passwd/passwords</tt>. You will 279 substitute the location, and the username, which you want to 280 use to start your password file.</p> 281 282 <p>If <tt>htpasswd</tt> is not in your path, you will have to 283 type the full path to the file to get it to run. That is, in 284 the example above, you would replace <tt>htpasswd</tt> with 285 <tt>/usr/local/apache/bin/htpasswd</tt></p> 286 287 <p>The <tt>-c</tt> flag is used only when you are creating a 288 new file. After the first time, you will omit the <tt>-c</tt> 289 flag, when you are adding new users to an already-existing 290 password file.</p> 291<pre> 292htpasswd /usr/local/apache/passwd/passwords sungo 293</pre> 294 295 <p>The example just shown will add a user named <tt>sungo</tt> 296 to a password file which has already been created earlier. As 297 before, you will be asked for the password at the command line, 298 and then will be asked to confirm the password by typing it 299 again.</p> 300 301 <p><b>Caution:</b> Be very careful when you add new users to an 302 existing password file that you don't use the <tt>-c</tt> flag 303 by mistake. Using the <tt>-c</tt> flag will create a new 304 password file, even if you already have an existing file of 305 that name. That is, it will remove the contents of the file 306 that is there, and replace it with a new file containing only 307 the one username which you were adding.</p> 308 309 <p>The password is stored in the password file in encrypted 310 form, so that users on the system will not be able to read the 311 file and immediately determine the passwords of all the users. 312 Nevertheless, you should store the file in as secure a location 313 as possible, with whatever minimum permissions on the file so 314 that the web server itself can read the file. For example, if 315 your server is configured to run as user <tt>nobody</tt> and 316 group <tt>nogroup</tt>, then you should set permissions on the 317 file so that only the webserver can read the file and only 318 root can write to it:</p> 319<pre> 320chown root.nogroup /usr/local/apache/passwd/passwords 321chmod 640 /usr/local/apache/passwd/passwords 322</pre> 323 324 <p>On Windows, a similar precaution should be taken, changing 325 the ownership of the password file to the web server user, so 326 that other users cannot read the file.</p> 327 328 <h3><a name="htpasswdconfig"></a><br /> 329 Set the configuration to use this password file</h3> 330 331 <p>Once you have created the password file, you need to tell 332 Apache about it, and tell Apache to use this file in order to 333 require user credentials for admission. This configuration is 334 done with the following directives:</p> 335 336 <table cellpadding="3"> 337 <tr> 338 <td align="left">AuthType</td> 339 340 <td align="left" valign="top" width="360">Authentication 341 type being used. In this case, it will be set to 342 <tt>Basic</tt></td> 343 </tr> 344 345 <tr> 346 <td align="left">AuthName</td> 347 348 <td align="left" valign="top" width="360">The 349 authentication realm or name</td> 350 </tr> 351 352 <tr> 353 <td align="left">AuthUserFile</td> 354 355 <td align="left" valign="top" width="360">The location of 356 the password file</td> 357 </tr> 358 359 <tr> 360 <td align="left">AuthGroupFile</td> 361 362 <td align="left" valign="top" width="360">The location of 363 the group file, if any</td> 364 </tr> 365 366 <tr> 367 <td align="left">Require</td> 368 369 <td align="left" valign="top" width="360">The 370 requirement(s) which must be satisfied in order to grant 371 admission</td> 372 </tr> 373 </table> 374 375 <p>These directives may be placed in a <tt>.htaccess</tt> file 376 in the particular directory being protected, or may go in the 377 main server configuration file, in a <tt><Directory></tt> 378 section, or other scope container.</p> 379 380 <p>The example shown below defines an authentication realm 381 called ``By Invitation Only''. The password file located at 382 <tt>/usr/local/apache/passwd/passwords</tt> will be used to 383 verify the user's identity. Only users named <tt>rbowen</tt> or 384 <tt>sungo</tt> will be granted access, and even then only if 385 they provide a password which matches the password stored in 386 the password file.</p> 387<pre> 388AuthType Basic 389AuthName "By Invitation Only" 390AuthUserFile /usr/local/apache/passwd/passwords 391Require user rbowen sungo 392</pre> 393 394 <p>The phrase ``By Invitation Only'' will be displayed in the 395 password pop-up box, where the user will have to type their 396 credentials.</p> 397 398 <p>You will need to restart your Apache server in order for the 399 new configuration to take effect, if these directives were put 400 in the main server configuration file. Directives placed in 401 <tt>.htaccess</tt> files take effect immediately, since 402 <tt>.htaccess</tt> files are parsed each time files are 403 served.</p> 404 405 <p>The next time that you load a file from that directory, you 406 will see the familiar username/password dialog box pop up, 407 requiring that you type the username and password before you 408 are permitted to proceed.</p> 409 410 <p>Note that in addition to specifically listing the users to 411 whom you want to grant access, you can specify that any valid 412 user should be let in. This is done with the 413 <tt>valid-user</tt> keyword:</p> 414<pre> 415Require valid-user 416</pre> 417 418 <h3><a name="basicgroupfile"></a><br /> 419 Optionally, create a group file</h3> 420 421 <p>Most of the time, you will want more than one, or two, or 422 even a dozen, people to have access to a resource. You want to 423 be able to define a group of people that have access to that 424 resource, and be able to manage that group of people, adding 425 and removing members, without having to edit the server 426 configuration file, and restart Apache, each time.</p> 427 428 <p>This is handled using authentication groups. An 429 authentication group is, as you would expect, a group name 430 associated with a list of members. This list is stored in a 431 group file, which should be stored in the same location as the 432 password file, so that you are able to keep track of these 433 things.</p> 434 435 <p>The format of the group file is exceedingly simple. A group 436 name appears first on a line, followed by a colon, and then a 437 list of the members of the group, separated by spaces. For 438 example:</p> 439<pre> 440authors: rich daniel allan 441</pre> 442 443 <p>Once this file has been created, you can <tt>Require</tt> 444 that someone be in a particular group in order to get the 445 requested resource. This is done with the 446 <tt>AuthGroupFile</tt> directive, as shown in the following 447 example.</p> 448<pre> 449AuthType Basic 450AuthName "Apache Admin Guide Authors" 451AuthUserFile /usr/local/apache/passwd/passwords 452AuthGroupFile /usr/local/apache/passwd/groups 453Require group authors 454</pre> 455 456 <p>The authentication process is now one step more involved. 457 When a request is received, and the requested username and 458 password are supplied, the group file is first checked to see 459 if the supplied username is even in the required group. If it 460 is, then the password file will be checked to see if the 461 username is in there, and if the supplied password matches the 462 password stored in that file. If any of these steps fail, 463 access will be forbidden.</p> 464 465 <h2><a name="basicfaq"></a><br /> 466 Frequently asked questions about basic auth</h2> 467 468 <p>The following questions tend to get asked very frequently 469 with regard to basic authentication. It should be understood 470 that basic authentication is very basic, and so is limited to 471 the set of features that has been presented above. Most of the 472 more interesting things that people tend to want, need to be 473 implemented using some alternate authentication scheme.</p> 474 475 <h3><a name="logout"></a><br /> 476 How do I log out?</h3> 477 478 <p>Since browsers first started implementing basic 479 authentication, website administrators have wanted to know how 480 to let the user log out. Since the browser caches the username 481 and password with the authentication realm, as described 482 earlier in this tutorial, this is not a function of the server 483 configuration, but is a question of getting the browser to 484 forget the credential information, so that the next time the 485 resource is requested, the username and password must be 486 supplied again. There are numerous situations in which this is 487 desirable, such as when using a browser in a public location, 488 and not wishing to leave the browser logged in, so that the 489 next person can get into your bank account.</p> 490 491 <p>However, although this is perhaps the most frequently asked 492 question about basic authentication, thus far none of the major 493 browser manufacturers have seen this as being a desirable 494 feature to put into their products.</p> 495 496 <p>Consequently, the answer to this question is, you can't. 497 Sorry.</p> 498 499 <h3><a name="passworddialog"></a><br /> 500 How can I change what the password box looks like?</h3> 501 502 <p>The dialog that pops up for the user to enter their username 503 and password is ugly. It contains text that you did not 504 indicate that you wanted in there. It looks different in 505 Internet Explorer and Netscape, and contains different text. 506 And it asks for fields that the user might not understand - 507 for example, Netscape asks the user to type in their ``User 508 ID'', and they might not know what that means. Or, you might 509 want to provide additional explanatory text so that the user 510 has a better idea what is going on.</p> 511 512 <p>Unfortunately, these things are features of the browser, and 513 cannot be controlled from the server side. If you want the 514 login to look different, then you will need to implement your 515 own authentication scheme. There is no way to change what this 516 login box looks like if you are using basic authentication.</p> 517 518 <h3><a name="persistpass"></a><br /> 519 How to I make it not ask me for my password the next 520 time?</h3> 521 522 <p>Because most browsers store your password information only 523 for the current browser session, when you close your browser it 524 forgets your username and password. So, when you visit the same 525 web site again, you will need to re-enter your username and 526 password.</p> 527 528 <p>There is nothing that can be done about this on the server 529 side.</p> 530 531 <p>However, the most recent versions of the major browsers 532 contain the ability to remember your password forever, so that 533 you never have to log in again. While it is debatable whether 534 this is a good idea, since it effectively overrides the entire 535 point of having security in the first place, it is certainly 536 convenient for the user, and simplifies the user 537 experience.</p> 538 539 <h3><a name="passwordtwice"></a><br /> 540 Why does it sometimes ask me for my password twice?</h3> 541 542 <p>When entering a password-protected web site for the first 543 time, you will occasionally notice that you are asked for your 544 password twice. This may happen immediately after you entered 545 the password the first time, or it may happen when you click on 546 the first link after authenticating the first time.</p> 547 548 <p>This happens for a very simple, but nonetheless confusing, 549 reason, again having to do with the way that the browser caches 550 the login information.</p> 551 552 <p>Login information is stored on the browser based on the 553 authentication realm, specified by the <tt>AuthName</tt> 554 directive, and by the server name. In this way, the browser can 555 distinguish between the <tt>Private</tt> authentication realm 556 on one site and on another. So, if you go to a site using one 557 name for the server, and internal links on the server refer to 558 that server by a different name, the browser has no way to know 559 that they are in fact the same server.</p> 560 561 <p>For example, if you were to visit the URL 562 <tt>http://example.com/private/</tt>, which required 563 authentication, your browser would remember the supplied 564 username and password, associated with the hostname 565 <tt>example.com</tt>. If, by virtue of an internal redirect, or 566 fully-qualified HTML links in pages, you are then sent to the 567 URL <tt>http://www.example.com/private/</tt>, even though this 568 is really exactly the same URL, the browser does not know this 569 for sure, and is forced to request the authentication 570 information again, since <tt>example.com</tt> and 571 <tt>www.example.com</tt> are not exactly the same hostname. 572 Your browser has no particular way to know that these are the 573 same web site.</p> 574 575 <h2><a name="basiccaveat"></a><br /> 576 Security caveat</h2> 577 578 <p>Basic authentication should not be considered secure for any 579 particularly rigorous definition of secure.</p> 580 581 <p>Although the password is stored on the server in encrypted 582 format, it is passed from the client to the server in plain 583 text across the network. Anyone listening with any variety of 584 packet sniffer will be able to read the username and password 585 in the clear as it goes across.</p> 586 587 <p>Not only that, but remember that the username and password 588 are passed with every request, not just when the user first 589 types them in. So the packet sniffer need not be listening at a 590 particularly strategic time, but just for long enough to see 591 any single request come across the wire.</p> 592 593 <p>And, in addition to that, the content itself is also going 594 across the network in the clear, and so if the web site 595 contains sensitive information, the same packet sniffer would 596 have access to that information as it went past, even if the 597 username and password were not used to gain direct access to 598 the web site.</p> 599 600 <p>Don't use basic authentication for anything that requires 601 real security. It is a detriment for most users, since very few 602 people will take the trouble, or have the necessary software 603 and/or equipment, to find out passwords. However, if someone 604 had a desire to get in, it would take very little for them to 605 do so.</p> 606 607 <p>Basic authentication across an SSL connection, however, will be 608 secure, since everything is going to be encrypted, including the 609 username and password.</p> 610 611 <h1><a name="digest"></a>Digest authentication</h1> 612 613 <p>Addressing one of the security caveats of basic 614 authentication, digest authentication provides an alternate 615 method for protecting your web content. However, it to has a 616 few caveats.</p> 617 618 <h2><a name="digestworks">How digest auth works</a></h2> 619 620 <p>Digest authentication is implemented by the module 621 <tt>mod_auth_digest</tt>. There is an older module, 622 <tt>mod_digest</tt>, which implemented an older version of the 623 digest authentication specification, but which will probably 624 not work with newer browsers.</p> 625 626 <p>Using digest authentication, your password is never sent 627 across the network in the clear, but is always transmitted as 628 an MD5 digest of the user's password. In this way, the password 629 cannot be determined by sniffing network traffic.</p> 630 631 <p>The full specification of digest authentication can be seen 632 in the internet standards document RFC 2617, which you can see 633 at <tt>http://www1.ics.uci.edu/pub/ietf/http/rfc2617.txt</tt>. 634 Additional information and resources about MD5 can be found at 635 <tt>http://userpages.umbc.edu/ mabzug1/cs/md5/md5.html</tt></p> 636 637 <h2><a name="digestconfig"></a>Configuration: 638 Protecting content with digest authentication</h2> 639 640 <p>The steps for configuring your server for digest 641 authentication are very similar for those for basic 642 authentication.</p> 643 644 <ol> 645 <li>Create the password file</li> 646 647 <li>Set the configuration to use this password file</li> 648 649 <li>Optionally, create a group file</li> 650 </ol> 651 652 <h3><a name="htdigest"></a>Creating a password file</h3> 653 654 <p>As with basic authentication, a simple utility is provided 655 to create and maintain the password file which will be used to 656 determine whether a particular user's name and password are 657 valid. This utility is called <tt>htdigest</tt>, and will be 658 located in the <tt>bin</tt> directory of wherever you installed 659 Apache. If you installed Apache from some variety of package 660 manager, <tt>htdigest</tt> is likely to have been placed 661 somewhere in your path.</p> 662 663 <p>To create a new digest password file, type:</p> 664<pre> 665htdigest -c /usr/local/apache/passwd/digest realm username 666</pre> 667 668 <p><tt>htdigest</tt> will ask you for the desired password, and 669 then ask you to type it again to confirm it.</p> 670 671 <p>Note that the realm for which the authentication will be 672 required is part of the argument list.</p> 673 674 <p>Once again, as with basic authentication, you are encouraged 675 to place the generated file somewhere outside of the document 676 directory.</p> 677 678 <p>And, as with the <tt>htpasswd</tt> utility, the <tt>-c</tt> 679 flag creates a new file, or, if a file of that name already 680 exists, deletes the contents of that file and generates a new 681 file in its place. Omit the <tt>-c</tt> flag in order to add 682 new user information to an existing password file.</p> 683 684 <h3><a name="htdigestconfig"></a>Set the configuration 685 to use this password file</h3> 686 687 <p>Once you have created a password file, you need to tell 688 Apache about it in order to start using it as a source of 689 authenticated user information. This configuration is done with 690 the following directives:</p> 691 692 <table cellpadding="3"> 693 <tr> 694 <td align="left">AuthType</td> 695 696 <td align="left" valign="top" width="360">Authentication 697 type being used. In this case, it will be set to 698 <tt>Digest</tt></td> 699 </tr> 700 701 <tr> 702 <td align="left">AuthName</td> 703 704 <td align="left" valign="top" width="360">The 705 authentication realm or name</td> 706 </tr> 707 708 <tr> 709 <td align="left">AuthDigestFile</td> 710 711 <td align="left" valign="top" width="360">The location of 712 the password file</td> 713 </tr> 714 715 <tr> 716 <td align="left">AuthDigestGroupFile</td> 717 718 <td align="left" valign="top" width="360">Location of the 719 group file, if any</td> 720 </tr> 721 722 <tr> 723 <td align="left">Require</td> 724 725 <td align="left" valign="top" width="360">The 726 requirement(s) which must be satisfied in order to grant 727 admission</td> 728 </tr> 729 </table> 730 731 <p>These directives may be placed in a <tt>.htaccess</tt> file 732 in the particular directory being protected, or may go in the 733 main server configuration file, in a <tt><Directory></tt> 734 section, or another scope container.</p> 735 736 <p>The following example defines an authentication realm called 737 "Private". The password file located at 738 <tt>/usr/local/apache/passwd/digest</tt> will be used to verify 739 the user's identity. Only users named <tt>drbacchus</tt> or 740 <tt>dorfl</tt> will be granted access, if they provide a 741 password that patches the password stored in the password 742 file.</p> 743<pre> 744AuthType Digest 745AuthName "Private" 746AuthDigestFile /usr/local/apache/passwd/digest 747Require user drbacchus dorfl 748</pre> 749 750 <p>The phrase "Private" will be displayed in the password 751 pop-up box, where the user will have to type their 752 credentials.</p> 753 754 <h3><a name="digestgroup"></a>Optionally, create a group file</h3> 755 756 <p>As you have observed, there are not many differences between 757 this configuration process and that required by basic 758 authentication, described in the previous section. This is true 759 also of group functionality. The group file used for digest 760 authentication is exactly the same as that used for basic 761 authentication. That is to say, lines in the group file consist 762 the name of the group, a colon, and a list of the members of 763 that group. For example:</p> 764<pre> 765admins: jim roy ed anne 766</pre> 767 768 <p>Once this file has been created, you can <tt>Require</tt> 769 that someone be in a particular group in order to get the 770 requested resource. This is done with the 771 <tt>AuthDigestGroupFile</tt> directive, as shown in the 772 following example.</p> 773<pre> 774AuthType Digest 775AuthName "Private" 776AuthDigestFile /usr/local/apache/passwd/digest 777AuthDigestGroupFile /usr/local/apache/passwd/digest.groups 778Require group admins 779</pre> 780 781 <p>The authentication process is the same as that used by basic 782 authentication. It is first verified that the user is in the 783 required group, and, if this is true, then the password is 784 verified.</p> 785 786 <h2><a name="digestcaveat">Caveats</a></h2> 787 788 <p>Before you leap into using digest authentication instead of 789 basic authentication, there are a few things that you should 790 know about.</p> 791 792 <p>Most importantly, you need to know that, although digest 793 authentication has this great advantage that you don't send 794 your password across the network in the clear, it is not 795 supported by all major browsers in use today, and so you should 796 not use it on a web site on which you cannot control the 797 browsers that people will be using, such as on your intranet 798 site. In particular, Opera 4.0 or later, Microsoft Internet 799 Explorer 5.0 or later, Mozilla 1.0.1 and Netscape 7 or later 800 as well as Amaya support digest authentication, while various 801 other browsers do not.</p> 802 803 <p>Next, with regard to security considerations, you should 804 understand two things. Although your password is not passed in 805 the clear, all of your data is, and so this is a rather small 806 measure of security. And, although your password is not really 807 sent at all, but a digest form of it, someone very familiar 808 with the workings of HTTP could use that information - just 809 your digested password - and use that to gain access to the 810 content, since that digested password is really all the 811 information required to access the web site.</p> 812 813 <p>The moral of this is that if you have content that really 814 needs to be kept secure, use SSL.</p> 815 816 <h1><a name="database">Database authentication 817 modules</a></h1> 818 819 <p>Basic authentication and digest authentication both suffer 820 from the same major flaw. They use text files to store the 821 authentication information. The problem with this is that 822 looking something up in a text file is very slow. It's rather 823 like trying to find something in a book that has no index. You 824 have to start at the beginning, and work through it one page at 825 a time until you find what you are looking for. Now imagine 826 that the next time you need to find the same thing, you don't 827 remember where it was before, so you have to start at the 828 beginning again, and work through one page at a time until you 829 find it again. And the next time. And the time after that.</p> 830 831 <p>Since HTTP is stateless, authentication has to be verified 832 every time that content is requested. And so every time a 833 document is accessed which is secured with basic or digest 834 authentication, Apache has to open up those text password files 835 and look through them one line at a time, until it finds the 836 user that is trying to log in, and verifies their password. In 837 the worst case, if the username supplied is not in there at 838 all, every line in the file will need to be checked. On 839 average, half of the file will need to be read before the user 840 is found. This is very slow.</p> 841 842 <p>While this is not a big problem for small sets of users, 843 when you get into larger numbers of users (where "larger" means 844 a few hundred) this becomes prohibitively slow. In many cases, 845 in fact, valid username/password combinations will get rejected 846 because the authentication module just had to spend so much 847 time looking for the username in the file that Apache will just 848 get tired of waiting and return a failed authentication.</p> 849 850 <p>In these cases, you need an alternative, and that 851 alternative is to use some variety of database. Databases are 852 optimized for looking for a particular piece of information in 853 a very large data set. It builds indexes in order to rapidly 854 locate a particular record, and they have query languages for 855 swiftly locating records that match particular criteria.</p> 856 857 <p>There are numerous modules available for Apache to 858 authenticate using a variety of different databases. In this 859 section, we'll just look at two modules which ship with Apache. 860 </p> 861 862 <h2><a name="modauthdb"></a>mod_auth_db and mod_auth_dbm</h2> 863 864 <p><tt>mod_auth_db</tt> and <tt>mod_auth_dbm</tt> are modules 865 which lets you keep your usernames and passwords in DB or DBM 866 files. There are few practical differences between DB files and 867 DBM files. And, on some operating systems, such as various 868 BSDs, and Linux, they are exactly the same thing. You should 869 pick whichever of the two modules makes the most sense on your 870 particular platform of choice. If you do not have DB support on 871 your platform, you may need to install it. You download an 872 implementation of DB at <tt>http://www.sleepycat.com/</tt>. 873 874 <h2><a name="dbfiles"></a>Berkeley DB files</h2> 875 876 <p>DB files, also known as Berkeley database files, are the 877 simplest form of database, and are rather ideally suited for 878 the sort of data that needs to be stored for HTTP 879 authentication. DB files store key/value pairs. That is, the 880 name of a variable, and the value of that variable. While other 881 databases allow the storage of many fields in a given record, a 882 DB file allows only this pairing of key and value.<a 883 name="foot1_return" href="#foot1"><sup>1</sup></a> This is ideal for 884 authentication, which requires only the pair of a username and 885 password.</p> 886 887 <h2><a name="installauthdb">Installing mod_auth_db</a></h2> 888 889 <p>For the purposes of this tutorial, we'll talk about 890 installing and configuring <tt>mod_auth_db</tt>. However, 891 everything that is said here can be directly applied to 892 <tt>mod_auth_dbm</tt> by simply replacing 'db' with 'dbm' and 893 'DB' with 'DBM' in the various commands, file names, and 894 directives.</p> 895 896 <p>Since <tt>mod_auth_db</tt> is not compiled in by default, 897 you will need to rebuild Apache in order to get the 898 functionality, unless you built in everything when we started. 899 Note that if you installed Apache with shared object 900 support, you may be able to just build the module and load it 901 in to Apache.</p> 902 903 <p>To build Apache from scratch with <tt>mod_auth_db</tt> built 904 in, use the following <tt>./configure</tt> line in your apache 905 source code directory.</p> 906<pre> 907./configure --enable-module=auth_db 908</pre> 909 910 <p>Or, if you had a more complex <tt>configure</tt> command 911 line, you can just add the <tt>-enable-module=auth_db</tt> 912 option to that command line, and you'll get 913 <tt>mod_auth_db</tt> built into your server.</p> 914 915 <h2><a name="authdbconfig">Protecting a directory with 916 mod_auth_db</a></h2> 917 918 <p>Once you have compiled the <tt>mod_auth_db</tt> module, and 919 loaded it into your web server, you'll find that there's very 920 little difference between using regular authentication and 921 using <tt>mod_auth_db</tt> authentication. The procedure is the 922 same as that we went through with basic and digest 923 authentication:</p> 924 925 <ol> 926 <li>Create the user file.</li> 927 928 <li>Configure Apache to use that file for 929 authentication.</li> 930 931 <li>Optionally, create a group file.</li> 932 </ol> 933 934 <h3><a name="dbmmanage"></a>Create the user file</h3> 935 936 <p>The user file for authentication is, this time, not a flat 937 text file, but is a DB file<a name="foot2_return" 938 href="#foot2"><sup>2</sup></a>. Fortunately, once again, 939 Apache provides us with a simple utility for the purpose of 940 managing this user file. This time, the utility is called 941 <tt>dbmmanage</tt>, and will be located in the <tt>bin</tt> 942 subdirectory of wherever you installed Apache.</p> 943 944 <p><tt>dbmmanage</tt> is somewhat more complicated to use than 945 <tt>htpasswd</tt> or <tt>htdigest</tt>, but it is still fairly 946 simple. The syntax which you will usually be using is as 947 follows:</p> 948<pre> 949dbmmanage passwords.dat adduser montressor 950</pre> 951 952 <p>As with <tt>htpasswd</tt>, you will at this point be 953 prompted for a password, and then asked to confirm that 954 password by typing it again. The main difference here is that 955 rather than a text file being created, you are creating a 956 binary file containing the information that you have 957 supplied.</p> 958 959 <p>Type <tt>dbmmanage</tt> with no arguments to get the full 960 list of options available with this utility.</p> 961 962 <h3><a name="perl_dbfile">Creating your user file with 963 Perl</a></h3> 964 965 <p>Note that, if you are so inclined, you can manage your user 966 file with Perl, or any other language which has a DB-file 967 module, for interfacing with this type of database. This covers 968 a number of popular programming languages.</p> 969 970 <p>The following Perl code, for example, will add a user 971 'rbowen', with password 'mypassword', to your password 972 file:</p> 973<pre> 974use DB_File; 975tie %database, 'DB_File', "passwords.dat" 976 or die "Can't initialize database: $!\n"; 977 978$username = 'rbowen'; 979$password = 'mypassword'; 980@chars=(0..9,'a'..'z'); 981$salt = $chars[int rand @chars] . $chars[int rand @chars]; 982 983$crypt = crypt($password, $salt); 984$database{$username} = $crypt; 985 986untie %database; 987</pre> 988 989 <p>As you can imagine, this makes it very simple to write tools 990 to manage the user and password information stored in these 991 files.</p> 992 993 <p>Passwords are stored in Unix <tt>crypt</tt> format, just as 994 they were in the "regular" password files. The 'salt' that is 995 created in the middle there is part of the process, generating 996 a random starting point for that encryption. The technique 997 being used is called a 'tied hash'. The idea is to tie a 998 built-in data structure to the contents of the file, such that 999 when the data structure is changed, the file is automatically 1000 modified at the same time.</p> 1001 1002 <h3><a name="authdbuserfile"></a>Configuring Apache 1003 to use this password file</h3> 1004 1005 <p>Once you have created the password file, you need to tell 1006 Apache about it, and tell Apache to use this file to verify 1007 user credentials. This configuration will look almost the same 1008 as that for basic authentication. This configuration can go in 1009 a <tt>.htaccess</tt> file in the directory to be protected, or 1010 can go in the main server configuration, in a 1011 <tt><Directory></tt> section, or other scope container 1012 directive.</p> 1013 1014 <p>The configuration will look something like the 1015 following:</p> 1016<pre> 1017AuthName "Members Only" 1018AuthType Basic 1019AuthDBUserFile /usr/local/apache/passwd/passwords.dat 1020require user rbowen 1021</pre> 1022 1023 <p>Now, users accessing the directory will be required to 1024 authenticate against the list of valid users who are in 1025 <tt>/usr/local/apache/passwd/passwords.dat</tt>.</p> 1026 1027 <h3><a name="authdbgroupfile"></a><br /> 1028 Optionally, create a group file</h3> 1029 1030 <p>As mentioned earlier, DB files store a key/value pair. In 1031 the case of group files, the key is the name of the user, and 1032 the value is a comma-separated list of the groups to which the 1033 user belongs.</p> 1034 1035 <p>While this is the opposite of the way that group files are 1036 stored elsewhere, note that we will primarily be looking up 1037 records based on the username, so it is more efficient to index 1038 the file by username, rather than by the group name.</p> 1039 1040 <p>Groups can be added to your group file using 1041 <tt>dbmmanage</tt> and the <tt>add</tt> command:</p> 1042<pre> 1043dbmmanage add groupfile rbowen one,two,three 1044</pre> 1045 1046 <p>In the above example, <tt>groupfile</tt> is the literal name 1047 of the group file, <tt>rbowen</tt> is the user being added, and 1048 <tt>one</tt>, <tt>two</tt>, and <tt>three</tt> are names of 1049 three groups to which this user belongs.</p> 1050 1051 <p>Once you have your groups in the file, you can require a 1052 group in the regular way:</p> 1053<pre> 1054AuthName "Members Only" 1055AuthType Basic 1056AuthDBUserFile /usr/local/apache/passwd/passwords.dat 1057AuthDBGroupFile /usr/local/apache/passwd/groups.dat 1058require group three 1059</pre> 1060 1061 <p>Note that if you want to use the same file for both password 1062 and group information, you can do so, but this is a little more 1063 complicated to manage, as you have to encrypt the password 1064 yourself before you feed it to the <tt>dbmmanage</tt> 1065 utility.</p> 1066 1067 <h1><a name="access"></a>Access control</h1> 1068 1069 <p>Authentication by username and password is only part of the 1070 story. Frequently you want to let people in based on something 1071 other than who they are. Something such as where they are 1072 coming from. Restricting access based on something other than 1073 the identity of the user is generally referred to as <i>Access 1074 Control</i>.</p> 1075 1076 <h2><a name="allowdeny"></a>Allow and Deny</h2> 1077 1078 <p>The <tt>Allow</tt> and <tt>Deny</tt> directives let you 1079 allow and deny access based on the host name, or host address, 1080 of the machine requesting a document. The directive goes 1081 hand-in-hand with these is the <tt>Order</tt> directive, which 1082 tells Apache in which order to apply the filters.</p> 1083 1084 <p>The usage of these directives is:</p> 1085<pre> 1086allow from address 1087</pre> 1088 1089 <p>where <i>address</i> is an IP address (or a partial IP 1090 address) or a fully qualified domain name (or a partial domain 1091 name); you may provide multiple addresses or domain names, if 1092 desired.</p> 1093 1094 <p>For example, if you have someone spamming your message 1095 board, and you want to keep them out, you could do the 1096 following:</p> 1097<pre> 1098deny from 11.22.33.44 1099</pre> 1100 1101 <p>Visitors coming from that address will not be able to see 1102 the content behind this directive. If, instead, you have a 1103 machine name, rather than an IP address, you can use that. 1104 </p> 1105<pre> 1106deny from hostname.example.com 1107</pre> 1108 1109 <p>And, if you'd like to block access from an entire domain, 1110 or even from an entire tld (top level domain, such as .com or .gov) 1111 you can specify just part of an address or domain name:</p> 1112<pre> 1113deny from 192.101.205 1114deny from exampleone.com exampletwo.com 1115deny from tld 1116</pre> 1117 1118 <p>Using <tt>Order</tt> will let you be sure that you are 1119 actually restricting things to the group that you want to let 1120 in, by combining a <tt>deny</tt> and an <tt>allow</tt> 1121 directive:</p> 1122<pre> 1123Order Deny,Allow 1124Deny from all 1125Allow from hostname.example.com 1126</pre> 1127 1128 <p>Listing just the <tt>allow</tt> directive would not do what 1129 you want, because it will let users from that host in, in 1130 addition to letting everyone in. What you want is to let in 1131 <i>only</i> users from that host.</p> 1132 1133 <h2><a name="satisfy"></a>Satisfy</h2> 1134 1135 <p>The <tt>Satisfy</tt> directive can be used to specify that 1136 several criteria may be considered when trying to decide if a 1137 particular user will be granted admission. <tt>Satisfy</tt> can 1138 take as an argument one of two options - <tt>all</tt> or 1139 <tt>any</tt>. By default, it is assumed that the value is 1140 <tt>all</tt>. This means that if several criteria are 1141 specified, then all of them must be met in order for someone to 1142 get in. However, if set to <tt>any</tt>, then several criteria 1143 may be specified, but if the user satisfies any of these, then 1144 they will be granted entrance.</p> 1145 1146 <p>A very good example of this is using access control to 1147 assure that, although a resource is password protected from 1148 outside your network, all hosts inside the network will be 1149 given free access to the resource. This would be accomplished 1150 by using the <tt>Satisfy</tt> directive, as shown below.</p> 1151<pre> 1152<Directory /usr/local/apache/htdocs/sekrit> 1153 AuthType Basic 1154 AuthName intranet 1155 AuthUserFile /www/passwd/users 1156 AuthGroupFile /www/passwd/groups 1157 Require group customers 1158 Order allow,deny 1159 Allow from internal.com 1160 Satisfy any 1161</Directory> 1162</pre> 1163 1164 <p>In this scenario, users will be let in if they either have a 1165 password, or if they are in the internal network.</p> 1166 1167 <h1><a name="summary">Summary</a></h1> 1168 1169 <p>The various authentication modules provide a number of ways 1170 to restrict access to your host based on the identity of the 1171 user. They offer a somewhat standard interface to this 1172 functionality, but provide different back-end mechanisms for 1173 actually authenticating the user.</p> 1174 1175 <p>And the access control mechanism allows you to restrict 1176 access based on criteria unrelated to the identity of the 1177 user.<br /> 1178 </p> 1179 <hr /> 1180 1181 <h4>Footnotes</h4> 1182 1183 <dl> 1184 <dt><a name="foot1">... value.</a><a 1185 href="#foot1_return"><sup>1</sup></a></dt> 1186 1187 <dd>There are actually a number of implementations that get 1188 around this limitation. MLDBM is one of them, for example. 1189 However, for the purposes of this discussion, we'll just deal 1190 with standard Berkeley DB, which is likely to have shipped 1191 with whatever operating system you are already running.</dd> 1192 1193 <dt><a name="foot2">... file</a><a 1194 href="#foot2_return"><sup>2</sup></a></dt> 1195 1196 <dd>Or, if you are using mod_auth_dbm, a DBM file.</dd> 1197 </dl> 1198 <hr /> 1199 1200 </body> 1201</html> 1202