![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2023-08-13
目錄
- Digest & Basic Authentication
- .htaccess 內的 htpasswd
- CLI - htpasswd
- Authorization
-
Apache digest authentication (mod_auth_digest)
- htdigest - Multi htpasswd file
- URL Embedded Credentials
- Logout
Digest & Basic Authentication
Challenge Type(AuthType)
- Basic (mod_auth_basic)
- Digest (mod_auth_digest)
"WWW-Authenticate" response header (Server -> Client)
- Defines at least one challenge(authentication method)
- multiple WWW-Authenticate headers are allowed in one response
"Authorization" request header
Header Format
Basic
Authorization: Basic <credentials>
Digest
Authorization: Digest username=<username>,
realm="<realm>",
uri="<url>",
algorithm=<algorithm>,
nonce="<nonce>",
nc=<nc>,
cnonce="<cnonce>",
qop=<qop>,
response="<response>",
opaque="<opaque>"mod_auth_basic:
AuthType Basic
mod_auth_digest:
- password is not transmitted as cleartext
- password storage on the server is much less secure
- A man-in-the-middle attacker can trivially force the browser to downgrade to basic authentication.
AuthType Digest # 由於只有 MD5, 而且它是 default value, 所以此行非必須 AuthDigestAlgorithm MD5
AuthDigestDomain URI [URI]
URIs that are in the same protection space for digest authentication
<Location /private/>
AuthDigestDomain /private/ http://mirror.my.dom/private2/
</Location>
Omitting to do so will cause the client to send the Authorization header for every request sent to this server. Apart from increasing the size of the request, it may also have a detrimental effect on performance if AuthDigestNcCheck is on.
AuthDigestNonceLifetime Directive
The AuthDigestNonceLifetime directive controls how long the server nonce is valid. When the client contacts the server using an expired nonce the server will send back a 401 with stale=true. If seconds is greater than 0 then it specifies the amount of time for which the nonce is valid; this should probably never be set to less than 10 seconds. If seconds is less than 0 then the nonce never expires.
.htaccess 內的 htpasswd
.htaccess
# Authentication Type: Basic / Digest
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /securefiles/.htpasswd <-- full path
AuthGroupFile /dev/null
# 這句才是指定所在 Folder 要 user login
Require valid-user"Require" Usage:
Require valid-user
Require [not] entity-name
.htpasswd
user:password
對於某些 IP 不用 Password login, 加上
Satisfy Any
Settings
AuthName
sets the name of the authorization realm for a directory.
This realm is given to the client so that the user knows which username and password to send.
AuthUserFile
If it is not absolute, it is treated as relative to the ServerRoot.
CLI - htpasswd
# Install htpasswd
yum install httpd-tools
# 常用 Opts
- -c Create the passwdfile (If passwdfile already exists, it is rewritten and truncated)
- -b Use batch mode (get the password from the command line)
# Password type
-
-m # Use MD5 encryption for passwords (Default)
("$apr1$" + the result of an Apache-specific algorithm) -
-s # Use SHA encryption for passwords
("{SHA}" + Base64-encoded SHA-1 digest of the password) - -d # Use crypt() encryption for passwords
-
-B # Use bcrypt encryption for passwords.
("$2y$" + the result of the crypt_blowfish algorithm)
# Other
- -v Verify password
- -D Delete user
e.g.
htpasswd -b -c -s passwd.masterusers username password
Authorization(authz)
module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site.
Auth*Provider (authn)
file provider <-- mod_authn_file
Providers are queried in order until a provider finds a match for the requested username,
at which point this sole provider will attempt to check the password.
Apache digest authentication (mod_auth_digest)
RFC2617
* password is not transmitted as cleartext
* password storage on the server is much less secure ( digest(MD5) < basic(MD5+Seed) )
* this does not lead to a significant security advantage over basic authentication (用 basic + ssl 最好)
remark
Basic 所用的 password encrypt 係
"$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password.
.htaccess
<Files mailreport.txt>
AuthType Digest
AuthName "users" # 對應 realm
AuthDigestProvider file
AuthUserFile "/var/www/htdigest.users"
Require valid-user
</Files>
htdigest [ -c ] passwdfile REALM username
-c #Create the passwdfile.
REALM # The authentication realm for which the user's credentials are being stored.
# The realm is a string that is displayed to the user when they are prompted for authentication.
# It helps the user understand the context of the authentication request.
(http://tools.ietf.org/html/rfc2617#section-3.2.1)
i.e.
# 對應 AuthName
htdigest -c /var/www/htdigest.users users admin
File: /var/www/htdigest.users
# USERNAME:REALM:PASSWORD admin:users:????
AuthDigestNonceLifetime
Controls how long the server nonce is valid.
(expired => 401 with stale=true )
Default: 300
Browser submit 上有有
name
Authorization
value
Digest username="admin", realm="users", nonce="?=?" , uri="/mailreport/mailreport.txt", algorithm=MD5, response="?", qop=auth , nc=00000004, cnonce="?"
nc 每次加 1
Multi htpasswd file
<AuthnProviderAlias file global.pw> AuthUserFile "htpasswd/global.pw" </AuthnProviderAlias> <AuthnProviderAlias file datahunter.pw> AuthUserFile "htpasswd/datahunter.pw" </AuthnProviderAlias> <VirtualHost *:443> ... <Directory "/var/web/pages/secure"> # 先 check global.pw 再 check datahunter.pw AuthBasicProvider global.pw datahunter.pw AuthType Basic AuthName "Protected Area" Require valid-user ... </Directory> </VirtualHost>
URL Embedded Credentials
Error
Subresource requests whose URLs contain embedded credentials (e.g. `https://user:pass@host/`) are blocked.
page 的 link 以 https://user:pass@host/file.txt format 存放係會被 block 的
Logout
logout BASIC authentication
.htaccess
AuthType Basic Require valid-user ...
# 方法 1: Server
當 Browser 收到 Server 返回的 401(Unauthorized), 佢會問 user 的 credentials, 這時相當 Logout 了.
原因: 當 Browser 收到 401 後就會假設之前的 Login 錯誤, Server 再問過一次 Login
# 方法 2: Client
http://[email protected]/
