[svnbook commit] r2919 - trunk/src/en/book
sussman
noreply at red-bean.com
Fri Dec 14 22:23:29 CST 2007
Author: sussman
Date: Fri Dec 14 22:23:28 2007
New Revision: 2919
Log:
* ch06-server-configuration.xml: mention Digest auth as an option.
Modified:
trunk/src/en/book/ch06-server-configuration.xml
Modified: trunk/src/en/book/ch06-server-configuration.xml
==============================================================================
--- trunk/src/en/book/ch06-server-configuration.xml (original)
+++ trunk/src/en/book/ch06-server-configuration.xml Fri Dec 14 22:23:28 2007
@@ -1679,7 +1679,7 @@
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect3 id="svn.serverconfig.httpd.authn.basic">
- <title>Basic HTTP Authentication</title>
+ <title>Setting Up HTTP Authentication</title>
<para>The easiest way to authenticate a client is via the
HTTP Basic authentication mechanism, which simply uses a
@@ -1764,12 +1764,43 @@
<para>One word of warning: HTTP Basic Auth passwords pass in
very nearly plain-text over the network, and thus are
- extremely insecure. If you're worried about password
- snooping, it may be best to use some sort of SSL encryption,
- so that clients authenticate via <literal>https://</literal>
- instead of <literal>http://</literal>; at a bare minimum,
- you can configure Apache to use a self-signed server
- certificate.
+ extremely insecure.</para>
+
+ <para>Another option is to not use Basic authentication
+ but <quote>Digest</quote> authentication instead. Digest
+ authentication allows the server to verify the client's
+ identity <emphasis>without</emphasis> passing the plaintext
+ password over the network. Assuming that the client and
+ server both know the user's password, they can verify that
+ the password is the same by using it to apply a hashing
+ function to a one-time bit of information. The server sends
+ a small random-ish string to the client; the client uses the
+ user's password to hash the string; the server then looks to
+ see if the hashed value is what it expected.</para>
+
+ <para>Configuring Apache for Digest authentication is also
+ fairly easy, and only a small variation on our prior
+ example. Be sure to consult Apache's documentation for full
+ details.</para>
+
+ <screen>
+<Location /svn>
+ DAV svn
+ SVNParentPath /var/svn
+ AuthType Digest
+ AuthName "Subversion repository"
+ AuthDigestDomain /svn/
+ AuthUserFile /etc/svn-auth-file
+ Require valid-user
+</Location>
+</screen>
+
+ <para>If you're looking for maximum security, then public-key
+ cryptography is the best solution. It may be best to use
+ some sort of SSL encryption, so that clients authenticate
+ via <literal>https://</literal> instead
+ of <literal>http://</literal>; at a bare minimum, you can
+ configure Apache to use a self-signed server certificate.
<footnote>
<para>While self-signed server certificates are still
vulnerable to a <quote>man in the middle</quote> attack,
More information about the svnbook-dev
mailing list