Monday, April 2, 2018

Setting up HTTP Digest Authentication


- Layout for this exercise:

- While HTTP Basic Authentication exchanges "username:password" in plain text, just encoded with Base64, however HTTP Digest Authentication sends the credentials encrypted with a MD5 Hash.

- In future posts we'll see how the MD5 is crafted by the Apache server. For now, more information about HTTP Digest Authentication is available here:

- Let's set up HTTP Digest Authentication at the Apache web server on the folder "digestauth", located in the web root folder "/var/www/html/":

- First of all, the mod_auth_digest must be installed:

- The utility htdigest creates a file (in this case it is a hidden file named .htdigest) used by Apache to establish the credentials. Three parameters are provided by the user:

     realm: withelist_authority
     username: admin 
     password: ababa

- Checking the content of the hidden file .htdigest:

- Adding some directives to the virtual host configuration file, located at "/etc/apache2/sites-enabled/000-default.conf":

- Note that the directives are specified for the folder "/digestauth", providing its whole path. Also, AuthName must match the realm provided for .htdigest, in this case "whitelist_authority":

- Restarting the web server:

- Checking that the configuration is correct:

- Checking the status of the server:

- Now, in case of providing bad credentials, the server answers with the Unauthorized message:

- However, authenticating with the correct credentials, access to the web resource is available: