httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Karr" <brain...@brainbuz.org>
Subject RE: [users@httpd] mod_auth_form and digest authentication
Date Tue, 27 Dec 2011 05:44:02 GMT
I couldn't figure out how to get digest authentication working with mod_auth_form, the documentation
mentions it once, but offers no specifics and I was unable to guess it (I even tried looking
at the source for comments that might help). 

Now as to why I would rather use digest authentication, I have been unsuccessful in compiling
mod_session_crypto. A site that had been using Digest would obviously have the bigger concern
of preserving user passwords. It happens that for the property I'm hoping to deploy mod_auth_form
on the next release I have most of the passwords in both digest and htpasswd compatible formats.
Based on the pace of the release cycle I don't expect an official Ubuntu package until end
of October 2012, since apache httpd 2.3 isn't in Sid I can't assume a working package through
Debian anytime soon. 

I would prefer the stronger cryptography of mod_session_crypto, or a cryptographically enhanced
version of digest if one was available. Since I store both password forms in my database I
can use digest now and then switch later. 


-----Original Message-----
From: Igor Galić [mailto:i.galic@brainsware.org] 
Sent: Monday, December 26, 2011 7:29 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] mod_auth_form and digest authentication



----- Original Message -----
> Version of Apache 2.3.15
> 
> The documentation for mod_auth_form says that it works with digest or 
> basic

Actually, mod_auth_form should work with any kind of authentication system that you come up
with, since it essentially gives up control to you and your application

> authentication. I have it working with basic authentication from a 
> database, but I can't find anything about how to switch over to 
> digest. There are two reasons for wanting to do this, first if your 
> users already have passwords encrypted in digest format, second the 
> normal digest HTTP_AUTHORIZATION does not include the password in 
> clear text and would not need mod_session_crypto if that value were 
> used for the session.

Is there a specific reason why you do not want to, or cannot use mod_session_crypto?


So long,

i 

--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message