Apache Authentication Mechanism
- with particular focus on the password hash -
1. Introduction
The authentication mechanism is very well explained on the
Apache homepage. All the basics can be
found there. The aim of this tutorial is
to show some details which are not explained
anywhere else.
If your webspace should be protected, the apache webserver must allow the usage of the protection mechanism by the user. That means, that the system administrator has to set
AllowOverride AuthConfig
in the apache configuration file for the users web directory. In the default case the name of the configuration file you have to use is ".htaccess". Now you have to decide which authentification method you want to use. The digest method is recommended because the login information will not be sent in the form of plain text as in the case of the basic method. But notice that not all browsers support the digest method. The ".htaccess" file has to be placed in the directory that should be protected.
2. Digest Authentication
2.1. Configuration
The ".htaccess" file has to contain the following information
- AuthType
- AuthName
- AuthDigestFile
- Require
Here, a short example (older versions of module auth_digest):
AuthType Digest AuthName "MyPage" AuthDigestFile /home/user/passwordfile require user TestUser
For current versions use:
AuthType Digest AuthName "MyPage" AuthDigestDomain /path/ https://your.domain/path/ AuthDigestProvider file AuthUserFile /home/user/passwordfile require user TestUser
If you have adapted the ".htaccess" file accordingly, you have to create the password file.
2.2. Password file
All tutorials I found assumed that everybody
can use the apache password tools
htpasswd/htdigest; however this is not always the case.
For this reason, I have written a
CGI-script which allows to create the password hash
in a web formular. The password file looks like
Username:Realm:PasswordHash
This might become clear by the following example, for instance
TestUser:MyPage:eeb67db475002802c2d1f0ffdcf18036
It is important, that the "realm" in the password file is exactly the same as the "AuthName" in the ".htaccess" file. Furthermore, the realm must not contain a colon.
2.3. Hash Algorithm
To generate the digest password hash, the MD5-algorithm
will be used. However, this algorithm will not be applied to
the password only. The following function will be called:
MD5("Username:Realm:PasswordHash")
That means instead of the password only, a combination of the username, the realm, and the password will be hashed.
3. Basic Authentication
3.1. Configutation
For this method the ".htaccess" file has to contain the following
entries
- AuthType
- AuthName
- AuthUserFile
- Require
For example:
AuthType Basic AuthName "MyPage" AuthUserFile /home/user/passwordfile require user TestUser
3.2. Password file
In this case, there are several web applications. Therefore, users
can create the password hash like on the
Selfhtml homepage; you can also use
the
CGI-script I wrote. For the basic authentication the password file looks like
Username:PasswordHash
for instance
TestUser:GApxCI8DJP4Yg
3.3. Hash Algorithm
The used algorithm is simpler than for the digest method. There is no
realm and the username will not be used to generate the hash. The
encryption function is the standard function crypt() with an additional
salt value. This is a random value of two
characters which complicates
the hash. If you want to compare two hash values, you have to know the
random salt value. For this reason, you can find it in the password hash:
the first two characters,
in the example given above "GA", are the salt value.