PASSWD

LOCATION

	$web/etc/passwd

DESCRIPTION

Pegasus supports both Basic and Digest authentication schemes. The password file is “$web/etc/passwd”, where $web is httpd root. This means access control is the job of document owner.

For compatibility reason, the file supports both old format and new format. Old format is only for basic authentication. On the other hand, new format supports both basic and digest authentication.

The example is as follows:

alice	 c05f2777ab3d9488d07d0e3f8e38c79a   /foo
alice    3a58b912829a2e4b4720c3a41e58dd29   /bar alice@hera

You will observe two types of lines, a line that consists of three fields, and a line that consists of four fields.
The former type is old format and the latter is new format.

NB: Old format might be out of support in future

In both format, the first field is a user name that you are prompted to input in browsers window in authentication. The name need not to be registered to “/adm/users”. Spaces are allowed in the name. For example, if you like a user name such as “aladdin's lamp”, then you can give that name in rc style quoted string as follows:

'aladdin''s lamp'       54ef36ec71201fdf9d1423fd26f97f6b /photo/private

The second field is a MD5 sum that is derived as follows:
for old format

	echo -n 'black cat' | md5sum

and for new format

	echo -n 'alice:alice@hera:black cat' | md5sum

In these examples, “black cat” is the user's password and “alice@hera” is the authentication realm.

The third field is the path that is protected by authentication. All accesses deeper than or equal to this path is required authentication.

In new format, fourth field is the name of realm. The name will help browser to present adequate authentication information to the server. In old format, realm value was substituted by the path name.

In the file “passwd”, lines beginning with “#” are comments. Blank lines are ignored.

Good password is required even if it is hashed. Using server mode of Pegasus is preferable because the server can run as a user such as “web”. Then the file can be protected by permission bits from reading by other users.

Key words, Basic and Digest, to the fifth field

In new format, the actual scheme is determined in negotiation with client. However the ambiguity might make a problem in some situations. Therefore key words, Basic and Digest, are introduced. The usage examples are as follows:

alice    ...   /foo realm Basic
alice    ...   /foo realm Digest

These keywords are case insensitive. Actual implementation looks only the first letter “B” or “D”.

Multiple user names in “$web/etc/passwd”.

Only a single user name has been allowed to a protected directory. However Windows does not allow the user name such as “alice” for WebDAV. Alice will be insisted to select one of the following two user names:

	alice@host
	host\alice

where “host” is the domain name or the IP address of the domain.

It is one solution to restrict user name in conformity with one of Windows format.
The short coming is that Mac/OSX user is insisted to enter with user name of Windows format.

Another solution is to allow multiple user names to a single path name.
The example is shown below.

alice    	...   /foo alice@hera
alice@host 	...   /foo alice@hera

where “...” is a MD5 sum.

Pegasus allows multiple user names in a single path name.

Path matching rule

See path matching for more information to judge whether the requested path matches third field. The judge will be executed after all URI transformation. (This means the requested path is transformed to the path of a file.)