Feature Proposal: Change (or Add as option) Apache Digest Auth
Motivation
From the Apache docs:
It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted.
Description and Documentation
To make login into a foswiki with Apache Auth enabled more secure the Digest Authentication method should be support. This does not tranfer passwords in clear text.
Examples
Impact
Implementation
--
Contributors: CharlesAdicke - 09 Dec 2010
Discussion
ApacheAuth uses whatever auth method apache has configured. So it should already work with Digest, if that's how you've configured Apache. If this doesn't work, please raise an urgent bug.
Perhaps you want
ApacheConfigGenerator to support digest configurations? I think that's a great idea, but probably doesn't need a feature proposal, feel free to go ahead and add it (or add a note on the page under "Wanted Improvements"
Perhaps you are referring to the Foswiki documentation text; that's something we can certainly improve.
--
PaulHarvey - 09 Dec 2010
Apache has it's own variation on MD5 which is defined as
""$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password." I've already implemented it as part of
ImproveHtPaswdUserFlexibility. Once that proposal is accepted I'll change this one to
MergedToCore.
The impact of this particular piece is very minimal - adds an optional dependency for
Crypt::DigestMD5
For now setting the date of commitment to 12 July 2011 since the work is covered under another proposal of that date.
--
GeorgeClark - 23 Jul 2011