http digest authentication with .htpasswd

Question

I am working on windows and for now I have Http Basic authentication with following .htaccess file:

AuthName "Restricted Area" 
AuthType Basic
AuthUserFile D:\\some\\windows\\path/.htpasswd 
require valid-user

and following .htpasswd file for user "test" with password "test" (created using http://www.htaccesstools.com/htpasswd-generator-windows/):

test:$apr1$EUhLJ8Ye$LpBIbzDcBXY.80pH53oN2/

This works, I am able to enter correct username and password and I gain access.

But as I am not using SSL I would like to use Digest authentication (to avoid sending password in plain text to server). I changed line AuthType Basic to AuthType Digest but it is not working anymore - even if I am typing correct user and pass I cant gain access.

Probably I should encrypt/hash password in .htpasswd using different algorithm but I cant find it...

Answer 1

If you want to use digest authentication, you'll have to create new password files. Those for digest auth will have a slightly different format that that used for basic auth. Typically, apache comes with tools for doing this.

Look out for the command line programs "htpasswd.exe" and "htdigest.exe". You need to use the second one for generating password files for digest auth. Use it like this:

c:\path\to\htdigest.exe -c c:\some\windows\path.htpasswd_digest realm username

You'll only need "-c" the first time you issue the command, if you only add new users to an existing file, it's like:

c:\path\to\htdigest.exe c:\some\windows\path.htpasswd_digest realm another_username

"realm" should be the same value you used in your apache config for AuthName.

Oh, and obviously, don't forget to update AuthUserFile in your apache configuration...