mod_auth_mysql-auth

mod_auth_mysql-auth is a patch for mod_auth_mysql for it to hook directly into mod_auth_basic and mod_auth_digest.

This patch will only work for httpd v2.*, as the hooks are only available in that version’s mod_auth.

mod_auth_mysql, for reasons such as being able to compile and run for httpd v1.*, has stuck with the method of hooking into the apache handlers before mod_auth_basic, allowing it to pass through to mod_auth_basic to handle the WWW-Authenticate header creation, and process the response itself.

mod_auth_digest however provided some additional security checks that get run on the response, so is not able to be used in this way. However both support another set of hooks for callbacks (check_password and get_realm_hash), to their internal functions.

mod_auth_mysql-auth uses these hooks to provide the much more secure digest authentication. This means that the password is no longer sent in cleartext so cannot easily be decrypted, and the server can prevent replay attacks.

Unless the password is in plaintext (AuthMySQLPwEncryption plain), the module will assume the password in AuthMySQLPasswordField is in digest format. To generate a digest, you must store the results of the following (where realm is equal to the AuthName directive):

MD5('username:realm:password')

Download

mod_auth_mysql-3.0.0-auth.patch
mod_auth_mysql-auth-3.0.0-3.1.src.rpm

Usage

AuthType Digest
AuthName My Realm
AuthDigestProvider mysql
 
AuthMySQLHost localhost
AuthMySQLUser auth_user
AuthMySQLPassword auth_password

Configuration

See the following for their corrisponding configuration details:

Leave a Reply

Your email address will not be published. Required fields are marked *