uses ordinary text files for the authentication database. Entries
are of the form “
additional fields may follow the password, separated from it
by a colon,
but they’re ignored.
except that the authentication credentials are stored in a
Berkeley DB file format. The directives contain the additional
letters “DB” (e.g.,
mod_auth_db, save that credentials are stored
in a DBM file.
having a database of valid credentials, it recognises a list of
valid usernames (i.e., the way an FTP server recognises
anonymous) and grants access
to any of those with essentially any passwords. This module is
most useful for logging access to resources and keeping
robots out than it is for actual access control.
Apache all support Basic authentication,
mod_auth_digest is currently
the sole supporter of the Digest mechanism. It underwent some
serious revamping in 1999, and the new version is currently
considered ‘experimental,’ but no problems have been identified with
the new code and it’s likely to be moved back into the standard
stable soon. Like
mod_auth, the credentials used by
this module are stored in a text file. Digest database
files are managed with the
mod_digest is much more involved than
setting up Basic authentication; please see the
module documentation for details.
Allowing Users to Control Access to Their Own Documents
All of the security-related module directives can be used in
.htaccess files. However,
in order for Apache to pay attention to them, the directories
in question need to be within the scope of a
directive that includes the
AuthConfig (for discretionary
Limit (for mandatory controls) keywords.
For instance, a standard Linux installation of Apache can enable
this with the following lines in the
AllowOverride AuthConfig Limit
Using Your System
This is a common request, and an incredibly bad idea: "How
can I use my system's
/etc/passwdfile as my
Web authentication database?"
The simple answer is: you don't. I'll just list a couple
- If someone manages to crack the username and password of someone
accessing a Web page, that person can now log onto your system.
(Remember, most of the Web authentication uses the Basic
method, which is incredibly simple to crack.)