RSS

Security tip of the day: Use htdigest instead of htpasswd for phpMyAdmin and other sensitive stuff

11 May

I just realized that there was a better alternative to basic authentication for Apache 2.2. According to http://httpd.apache.org/docs/2.1/howto/auth.html:

“The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent browsers support Digest authentication.”

So I read http://httpd.apache.org/docs/2.1/mod/mod_auth_digest.html and http://httpd.apache.org/docs/2.1/programs/htdigest.html and did the following:


htdigest -c apachePassword phpmyadmin myUser

Answered the questions asked by htdigest and checked that a new file named apachePassword was created. After that I edited my /etc/apache2/apache2.conf file and added these:

# htdigest authentication
<Location /phpmyadmin/>
          AuthType Digest
          AuthName "phpmyadmin"
          AuthDigestDomain /phpmyadmin/ http://myserver.com/phpmyadmin/

          AuthDigestProvider file
          AuthUserFile /home/myUser/apachePassword
          Require valid-user
</Location>

Then I enabled auth_digest by issuing the following command: a2enmod auth_digest. Finally I checked my Apache configuration file with the apache2ctl -t command and restarted the Apache web server. Then I visited http://myserver.com/phpmyadmin and I was greeted with the Apache’s username / password dialog window before being able to see phpMyAdmin’s screen.

 
2 Comments

Posted by on May 11, 2010 in security, sysadmin

 

2 responses to “Security tip of the day: Use htdigest instead of htpasswd for phpMyAdmin and other sensitive stuff

  1. Andy

    July 12, 2010 at 23:17

    Thanks!

     
  2. Gerard

    February 1, 2014 at 15:28

    Actually Digest Auth is not as secure as you might think. The password file on the server is vulnerable because it contains reversible encryption. If you seek more security Apache’s advice is to use Basic Auth instead combined with mod_ssl.

    For further reading:

    http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 63 other followers

%d bloggers like this: