17 comment

1. Great article. Works after one small type correction.

   you wrote:

   
auth.backend.htdigest.userfile = "/etc/lighttpd/.passwd "


   I copied and pasted the above and couldn’t restart lighttpd. There’s a space after .passed and before the ending quote. Removing the space, lighty started fine.

   Thanks for this tutorial and all the others.

2. Thai,

   Opps, sorry for typo, post has been updated.

   Appreciate your post!

3. hi,
   if i have some fils in the http folder and in browser i write http://mydomain.com/http/some.jpg

   it gives me an error 404 not found and in have done secure digest authentication on the http folder

   why i m getting this problem i m not able to figure it out.

   please help me. Thanks in advance

4. Unfortunately lighttpd still doesnt write meaningful entries into error.log on failed logins so its hard to check for wordbook attacks etc.

5. htdigest is available on apache2-utils, if you don’t have it, you can install it by this cmd on debian system

   apt-get install apache2-utils

6. what should be the correct unix permissions for .passwd?

   I’m getting this error:
   2008-07-22 11:44:23: (http_auth.c.151) opening digest-userfile /etc/lighttpd/.passwd failed: Permission denied

7. Peter,

   You should set permission to lighttpd or www i.e. lighttpd server username using chmod command.

8. # ls -la /etc/lighttpd/
   drw-r—– 2 www www 512 Jul 22 19:16 .
   drwxr-xr-x 21 root wheel 2048 Jul 21 14:30 ..
   -rw-r–r– 1 www www 60 Jul 22 19:16 .passwd

   # tail -f /var/log/lighttpd.error.log
   2008-07-22 19:27:50: (http_auth.c.1002) username xpto
   2008-07-22 19:27:50: (http_auth.c.1003) realm Authorized users only
   2008-07-22 19:27:50: (http_auth.c.1004) nonce 27292a400655857236e04710538278ba
   2008-07-22 19:27:50: (http_auth.c.1005) uri /wordpress/wp-admin/
   2008-07-22 19:27:50: (http_auth.c.1006) algorigthm MD5
   2008-07-22 19:27:50: (http_auth.c.1007) qop auth
   2008-07-22 19:27:50: (http_auth.c.1008) cnonce 21nkwLwMcFj1CHbiIF9IzfvpLzHgiNpzNzZEJzptCcW=
   2008-07-22 19:27:50: (http_auth.c.1009) nc 00000001
   2008-07-22 19:27:50: (http_auth.c.1010) response 96649fb136d6c4fc4bfd21e13a7d7f23
   2008-07-22 19:27:50: (http_auth.c.151) opening digest-userfile /etc/lighttpd/.passwd failed: Permission denied

9. What is output of the following command?
   grep -i server.username /etc/lighttpd/lighttpd.conf
   You need to use that username, also make sure, /etc/lighttpd also owned by that user.

10. # grep -i server.username /usr/local/etc/lighttpd.conf
    server.username = “www”

    I created the .passwd on another machine running apache, but I think that’s not the cause of this error

11. When we do this is there any way to prevent browser pop-up ..i want to process response in my javascript but 401 gives control to browser.

    Is any alternative to get nonce &pass it to javascript (like creating socket & GET request on server side with cgi & then changing 401 code to something random). I want gui of my javascript.

    Please reply

    1. You would need to write a login script manually with PHP in order to do that as far as I know, it is the browser makers who control what the login box looks like with this method.

12. apt-get install apache2-utils

    to get htdigest.

13. Hello,

    is php needed for this to work?

14. Hi I am able to setup the wholw thing and the site is asking for authentication. Now the problem is I want to change the appearance of the authentication dialog box. So can anyone help me find where exactly the call point for this dialog box is present, so that i can map my dialog box to it.

15. An alternative to the htdigest command found in apache2-utils can be found on this page: http://redmine.lighttpd.net/projects/1/wiki/Docs_ModAuth

16. MD5 for digest is not really secure either.

    Have a question? Post it on our forum!