$web/etc/passwd
Pegasus supports both Basic and Digest authentication schemes. The password file is “$web/etc/passwd”, where $web is httpd root. This means access control is the job of document owner.
For compatibility reason, the file supports both old format and new format. Old format is only for basic authentication. On the other hand, new format supports both basic and digest authentication.
The example is as follows:
alice c05f2777ab3d9488d07d0e3f8e38c79a /foo alice 3a58b912829a2e4b4720c3a41e58dd29 /bar alice@heraYou will observe two types of lines, a line that consists of three fields, and a line that consists of four fields.
In both format, the first field is a user name that you are prompted to input in browsers window in authentication. The name need not to be registered to “/adm/users
”. Spaces are allowed in the name. For example, if you like a user name such as “aladdin's lamp
”, then you can give that name in rc style quoted string as follows:
'aladdin''s lamp' 54ef36ec71201fdf9d1423fd26f97f6b /photo/private
The second field is a MD5 sum that is derived as follows:
for old format
echo -n 'black cat' | md5sumand for new format
echo -n 'alice:alice@hera:black cat' | md5sum
In these examples, “black cat” is the user's password and “alice@hera” is the authentication realm.
The third field is the path that is protected by authentication. All accesses deeper than or equal to this path is required authentication.
In new format, fourth field is the name of realm. The name will help browser to present adequate authentication information to the server. In old format, realm value was substituted by the path name.
In the file “passwd”, lines beginning with “#
” are comments. Blank lines are ignored.
Good password is required even if it is hashed. Using server mode of Pegasus is preferable because the server can run as a user such as “web”. Then the file can be protected by permission bits from reading by other users.
alice ... /foo realm Basic alice ... /foo realm DigestThese keywords are case insensitive. Actual implementation looks only the first letter “B” or “D”.
alice@host host\alicewhere “host” is the domain name or the IP address of the domain.
It is one solution to restrict user name in conformity with one of Windows format.
The short coming is that Mac/OSX user is insisted to enter with user name of Windows format.
Another solution is to allow multiple user names to a single path name.
The example is shown below.
alice ... /foo alice@hera alice@host ... /foo alice@herawhere “
...
” is a MD5 sum.
Pegasus allows multiple user names in a single path name.
See path matching for more information to judge whether the requested path matches third field. The judge will be executed after all URI transformation. (This means the requested path is transformed to the path of a file.)