Password file

0.1.0 Location
0.2.0 Description
0.3.0 New format -- Basic and Digest authentication
0.4.0 Old format -- Basic authentication

2006/08/23
2003/01/01

Location

	$web/etc/passwd

Description

If you want to control accesses using password, use "$web/etc/passwd", where "$web" is httpd root. For compatibility reason, the file supports both old format and new format. Old format is only for basic authentication. On the other hand, new format supports both basic and digest authentication.

The example is

alice  54ef36ec71201fdf9d1423fd26f97f6b /photo/private
alice  3a58b912829a2e4b4720c3a41e58dd29 /private alice@hera

where the first line that consists three fields is old format, and the second line that consists four fields is new format.

Basic authentication is disallowed by default. However, if you do want to allow basic authentication, set "allowbasic" 1 as follows

allowbasic    1       # 1: allow basic authentication

in "/sys/lib/httpd.conf".

In both format, the first field is a user name that you are prompted to input in browsers window in authentication. The name need not to be registered to "/adm/users". Spaces are allowed in the name. For example, if you like a user name such as "aladdin's lamp", then you can give that name in rc style quoted string as follows:

'aladdin''s lamp'       54ef36ec71201fdf9d1423fd26f97f6b /photo/private

Password is hashed for safety. The information is in the second field.
Third field is the path that is protected by authentication. All accesses deeper than or equal to this path is required authentication.
Fourth field is the name of realm. The realm name will help browser to present adequate authentication information to the server. In old format, realm value was substituted by the path name.

In the file "passwd", lines beginning with "#" are comments. Blank lines are allowed.

File "passwd" is located in CPU server. Therefore the file may be read by other users. Good password is required even if it is hashed. Using server mode of Pegasus is preferable because the server can run as a user such as "web". Then the file can be protected by permission bits from reading by other users.

New format -- Basic and Digest authentication

alice 3a58b912829a2e4b4720c3a41e58dd29 /private alice@hera

The single line supports both basic and digest authentication. The line consists of four fields:

	user key path realm

Key is produced by using shell commands of Plan 9 as follows:

	echo -n 'user:realm:password' | md5sum

For example, assume that alice wants to set a password "black cat" to the realm "alice@hera", then alice will get the key as follows:

	echo -n 'alice:alice@hera:black cat' | md5sum

which will produce the key in the example.

Old format -- Basic authentication

alice   54ef36ec71201fdf9d1423fd26f97f6b /photo/private

Regular lines have three fields:

	user key path

Key will be produced from the password using "echo -n":

	echo -n 'open sesame' | md5sum

This authentication is based on "basic authentication" defined in HTTP/1.0. The scheme is widely used because of its simplicity but weak in network snooping. Therefore don't use for secure documents. The problem will be much reduced if you use "https" protocol.

See path matching for more information to judge whether the requested path matches third field. The judge will be executed after all URI transformation. (This means the requested path is transformed to the path of a file.)