mod_digest Module?

[Eric Pretorious]

The most common [authentication] method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted... Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure.

The mod_digest module is loaded:

[root@www ~]# apachectl -t -D DUMP_MODULES | grep auth
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 authnz_ldap_module (shared)

However, it's not listed in the Plesk interface (i.e., Home > Tools & Settings > Apache Modules):

• php5
• asis
• auth_basic
• authn_alias
• authn_anon
• authn_dbd
• authn_dbm
• authn_default
• authnz_ldap
• authz_dbm
• authz_default
• authz_groupfile
• authz_owner
• cache
• cern_meta
• cgi
• cgid
• dbd
• deflate
• disk_cache
• dumpio
• expires
• ext_filter
• fcgid
• filter
• headers
• ident
• include
• info
• ldap
• log_forensic
• logio
• perl
• proxy
• proxy_ajp
• proxy_balancer
• proxy_connect
• proxy_ftp
• proxy_http
• proxy_scgi
• python
• reqtimeout
• rewrite
• speling
• status
• substitute
• suexec
• unique_id
• userdir
• usertrack
• version
• vhost_alias

And, if I specify Digest authentication (in the .htaccess file)...

AuthUserFile /var/www/vhosts/example.com/.htpasswd
AuthType Digest
AuthName "My Secret Folder"
Require valid-user

...it causes an error...

[Wed Mar 20 04:47:30 2013] [error] [client 74.197.253.230] Digest: user `admin' in realm `My Secret Folder' not found: /htpasswd/Wordcamp.txt

What do I need to do to enable digest mode authentication?

 

[Alexey.Plotnitsky]

Hi Eric Pretorious,

You need to setup authentication file:
htdigest -c /var/www/vhosts/example.com/.htpasswd "My Secret Folder" admin

You can read about this here:
http://famschmid.net/linuxtutorial.html#howtoconfigureapache

 

[Eric Pretorious]

You need to setup authentication file:
htdigest -c /var/www/vhosts/example.com/.htpasswd "My Secret Folder" admin

I guess that I should have been more explicit:

• If I specify Basic authentication (in the .htaccess file)...
  

  AuthUserFile /var/www/vhosts/example.com/.htpasswd
  AuthType Basic
  AuthName "My Secret Folder"
  Require valid-user

  ...authentication works correctly (because I've already created the .htpasswd file that's referenced in the .htaccess file).
  
• If I specify Digest authentication (in the .htaccess file)...
  

  AuthUserFile /var/www/vhosts/example.com/.htpasswd
  AuthType Digest
  AuthName "My Secret Folder"
  Require valid-user

  it causes an error...
  
  

  [Wed Mar 20 04:47:30 2013] [error] [client 74.197.253.230] Digest: user `admin' in realm `My Secret Folder' not found: /htpasswd/Wordcamp.txt

 

[Faris Raouf]

According to the instructions, it isn't enough just to change AuthType Basic to AuthType Digest - you also have to change AuthUserFile to AuthDigestFile
I'm not 100% sure this is your problem, but I'd certainly try that to see what happens.

Note also that the error message you are getting would also be generated if the passwords in the password file were not hashed. However, knowing the tricky way these things work, I'm hoping the solution is as simple as just changing to AuthDigestFile.

 

[Eric Pretorious]

According to the instructions, it isn't enough just to change AuthType Basic to AuthType Digest - you also have to change AuthUserFile to AuthDigestFile
I'm not 100% sure this is your problem, but I'd certainly try that to see what happens.

Thanks, Faris:

Using MD5 Digest authentication is very simple. Simply set up authentication normally, using AuthType Digest and AuthDigestFile instead of the normal AuthType Basic and AuthUserFile

But updating the .htaccess file...

AuthDigestFile /var/www/vhosts/rocket-powered.com/.htpasswd
AuthType Digest
AuthName "My Secret Folder"
Require valid-user

...caused this error:

[Sun Mar 24 00:47:07 2013] [alert] [client 50.136.181.150] /var/www/vhosts/example.com/httpdocs/whmcs/admin/.htaccess: Invalid command 'AuthDigestFile', perhaps misspelled or defined by a module not included in the server configuration

I'll keep digging and post my results here.

 

[Eric Pretorious]

I'll keep digging and post my results here.

Root cause: I was using the /usr/bin/htpasswd command instead of the /usr/bin/htdigest password that Alexey had specified:

You need to setup authentication file:
htdigest -c /var/www/vhosts/example.com/.htpasswd "My Secret Folder" admin

Once I created the .htpasswd file using /usr/bin/htdigest, authentication began working:

[root@www rocket-powered.com]# htdigest -c .htpasswd 'Restricted' admin
Adding password for admin in realm Restricted.
New password: ******
Re-type new password: ******

However, when I replaced the AuthUserFile directive with the AuthDigestFile directive...

According to the instructions, it isn't enough just to change AuthType Basic to AuthType Digest - you also have to change AuthUserFile to AuthDigestFile... I'm hoping the solution is as simple as just changing to AuthDigestFile.

...authentication failed! Closer examination of the documentation reveals that the AuthDigestFile is no longer necessary. However, there are a handful of other directives that the documentation suggests but don't seem to be required. e.g., AuthDigestDomain doesn't seem to be required. Also: Use the value set by AuthName as the Realm when using /usr/bin/htdigest.

[root@www rocket-powered.com]# cat .htpasswd 
admin:WHMCS:74xe86xe9ffafe999f3499228ab6x9e3

[root@www rocket-powered.com]# cat httpdocs/whmcs/admin/.htaccess
AuthUserFile /var/www/vhosts/rocket-powered.com/.htpasswd
AuthType Digest
AuthDigestDomain /whmcs/admin/
AuthName WHMCS
Require valid-user

REFERENCE
http://httpd.apache.org/docs/2.2/programs/htdigest.html
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html
http://docs.ocf.berkeley.edu/wiki/How_to_restrict_access_to_a_page