httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eli Marmor <>
Subject Missing Features of htdigest.c
Date Sun, 24 Jul 2005 10:50:53 GMT
originally, htdigest was planned as the DIGEST equivalent of htpasswd.

However, only a minimal version was released, and since then - it
remained as a mid-version and has never finished. Ryan Bloom wrote:

	When Digest authentication is more prevalent, this program will
	likely be extended with more options, mirroring the options to
	the other password-file generators.
					(Apache Server 2.0, pp. 221)

I believe there is a concensus that it's time to finish htdigest.

For example, everybody who tried to call htdigest from a CGI or another
program, to change a password non-interactively, faced the limitations
of htdigest (by the way: if you want to popen() it and stream the
password into it twice, don't be surprised it it will not work: under
most platforms it accesses /dev/tty rather than the standard-input, so
you will have to ioctl() the standard input to TIOCNOTTY before
popening htdigest...).

In htpasswd, this is done by the flag "-b". And this flag is only an
example for the limitations of htdigest.

So before finalizing htdigest, I want to ask several questions:

1. Is there already a patched version of htdigest, somewhere, that
   supports more features than the official one?  Did any of you
   improve htdigest or know anything about such a project?  Before
   investing time, it will be helpful to know if there is somewhere to
   start from.

2. Is improving htdigest the way to go?  Or is it better to add DIGEST
   authentication as a new flag for htpasswd, so htpasswd will join
   both types of authentication and the DIGEST authentication will
   enjoy the existing flags of htpasswd (like "-b"). And if extending
   htpasswd is the way, then what should be done with "realm"?  After
   all, currently it is a "must" in htdigest files, while it doesn't
   exist in htpasswd files. A possible option is to make it a flag,
   but then what should be done if it is used in BASIC auth or if it's
   omitted in DIGEST?  Another option is to put the realm immediately
   after the flag that tells htpasswd to use DIGEST, i.e:
	htpasswd [-D realm] etc.

3. What about the other BASIC authentications, which don't have a
   DIGEST equivalent so far?  Like auth_dbm, etc.

Eli Marmor
Netmask (El-Mar) Internet Technologies Ltd.
Tel.:   +972-9-766-1020          8 Yad-Harutzim St.
Fax.:   +972-9-766-1314          P.O.B. 7004
Mobile: +972-50-5237338          Kfar-Saba 44641, Israel

View raw message