How to Password Protect Web Directories by HTDIGEST

  • by
HTTP Basic Authentication – htpasswd is a quite old technology which has been lasted and evolved for a long time. It’s easy to setup, but the drawback is that it sends the password from the client to the server unencrypted and seemed vulnerable. Therefore we should choose the stronger authentication type, which is HTTP Digest Authentication – htdigest.

According to Apache official document: mod_auth_digest – Apache HTTP Server Version 2.4, the module mod_auth_basic is said as that:
This module implements HTTP Digest Authentication (RFC2617), and provides an alternative to mod_auth_basic where the password is not transmitted as cleartext …
Now, let’s start to make the directory /private to be password-protected.
  1. Create a password file for the valid-user “steven”
  2. [root@test ~]# htdigest -c /usr/local/httpd/passwords private_zone steven
    New password:
    Re-type new password:
    Adding password for user steven

    Please note that, you must provide the realm name before the user name. In this case, which is “private_zone”.

  3. Check the file
  4. [root@test ~]# ls -l /usr/local/httpd/passwords
    -rw-r--r-- 1 root root 45 May 19 23:02 /usr/local/httpd/passwords

  5. Add directives into httpd configuration file (or .htaccess)
  6. [root@test ~]# vi /etc/httpd/conf/httpd.conf
    ...
    <Location /private/>
        AuthType Digest
        AuthName "private_zone"
        AuthDigestDomain /private/ https://www.example.com/private/
        AuthDigestProvider file
        AuthUserFile /usr/local/httpd/passwords
        Require valid-user
    </Location>
    ...

    The AuthName must match the realm name in the step 1.

  7. Make sure the module is loaded
  8. [root@test ~]# grep mod_auth_digest /etc/httpd/conf/httpd.conf
    LoadModule auth_digest_module modules/mod_auth_digest.so

    For httpd 2.4 or above, you should find the module by this:
    [root@test ~]# grep mod_auth_digest /etc/httpd/conf.modules.d/*
    /etc/httpd/conf.modules.d/00-base.conf:LoadModule auth_digest_module modules/mod_auth_digest.so

    Or, you can use the following command.
    [root@test ~]# apachectl -M | grep auth_digest
    Syntax OK
     auth_digest_module (shared)

  9. Restart httpd service
  10. [root@test ~]# service httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [  OK  ]

In the official document, Apache also recommends us to apply both HTTP Digest Authentication and SSL for more security.
Digest authentication was intended to be more secure than basic authentication, but no longer fulfills that design goal. A man-in-the-middle attacker can trivially force the browser to downgrade to basic authentication. And even a passive eavesdropper can brute-force the password using today’s graphics hardware, because the hashing algorithm used by digest authentication is too fast. Another problem is that the storage of the passwords on the server is insecure. The contents of a stolen htdigest file can be used directly for digest authentication. Therefore using mod_ssl to encrypt the whole connection is strongly recommended.
For a better security, you may follow my post to setup an official SSL certificate from any CA:
How to Make Your Official SSL Work – Openssl + Apache + Linux + CA.
Or you can consider to create a self-signed SSL certificate at no cost:
How to Create Self-Signed Certificate by Openssl on CentOS 6.4

Except the technique of password-protected directories, you can limit and block unwanted sources from accessing sensitive directories:
How to Limit Access to Web Directories Based on Hosts

Leave a Reply

Your email address will not be published. Required fields are marked *