#87 ch06: mention 'htdigest' tool when mentioning digest auth

[Anonymous]

Originally created by: suss...@google.com
Originally owned by: cmpilato

From O'Reilly errata page, reported by a user:

The book states that changing from Basic to Digest authentication requires minor modifications. In fact, it looks like one needs just to change the authentication type (AuthType) and to add the authentication domain (AuthDigestDomain).  This is of course not the whole truth. One needs also to setup a new authentication file using *htdigest* instead of htpasswd. The authentication file generated by htpasswd will not work.

[Anonymous]

Originally posted by: cmpilato

Is 'htdigest' not just the same thing as 'htpasswd -m'?

[Anonymous]

Originally posted by: cmpilato

(No comment was entered for this change.)

Owner: ---

[Anonymous]

Originally posted by: quinntay...@mac.com

I just ran into this same problem. No, 'htpasswd -m' uses MD5 encryption for passwords, but htdigest creates a different format of file. For one thing, it has the additional concept of a "realm".

http://httpd.apache.org/docs/2.2/programs/htdigest.html
http://httpd.apache.org/docs/2.2/programs/htpasswd.html

Perhaps one reason for the wrong assumption is that Apache digest authentication uses MD5 as the algorithm for the challenge and response hashes, whereas the -m for htpasswd specifies how the password is stored. (Similarly, 'htpasswd -s' specifies SHA rather than MD5.)

Updating the svnbook documentationto reflect this would be a nice step towards helping people use something more secure than Apache's basic authentication. I'd be happy to provide a patch with an example if needed.

[Anonymous]

Originally posted by: cmpilato

A patch would be great, thanks!

Labels: Milestone-en-1.6

[Anonymous]

Originally posted by: quinntay...@mac.com

Sorry the diff took a little longer than expected. In addition to improving the Digest authentication section, I also made various other improvements, including expanding the SSL section and moving it below Authorization. I verified that the book builds with these changes, and the XML appears valid. I hope they are helpful. Best regards!

[Anonymous]

Originally posted by: quinntay...@mac.com

Bump. I included a complete diff for this 3 months ago. Is there anything I can do to help move forward? Making digest mode easier to understand and configure (and promoting it as the preferred method) would be a big step forward from a security standpoint.

[Anonymous]

Originally posted by: cmpilato

Sorry for the delay.  I'm trying to focus on getting Subversion 1.7 out the door these days, so haven't been paying much attention to the book.  Thanks for the patch -- that will help alot.

In the future, I would suggest limiting individual patches to a single logical change (and I think you'll find this recommendation to be fairly universal in open-source projects).   So, you'd have a patch to improve the Digest section.  Another to improve the SSL section.  And then maybe just a verbal suggestion to move the new SSL section wholesale to below the Authorization bit.

But please don't feel compelled to re-submit in that fashion now.

[Anonymous]

Originally posted by: cmpilato

(No comment was entered for this change.)

Owner: cmpilato

[Anonymous]

Originally posted by: cmpilato

Shoot.  Patch no longer applies cleanly.

[Anonymous]

Originally posted by: quinntay...@mac.com

Since the patch now needs to be revised to resolve conflicts (introduced by other changes over the 6 months since I submitted it) I might as well break it into a few patches if that helps with clarity. Please let me know what you want to see and I will take care of it.

[Anonymous]

Originally posted by: cmpilato

Wow!  I didn't expect you'd be so willing to resubmit the patch (given that it's not your fault it doesn't apply).  But since you asked...

I think your original change description pretty much dictates how one might deliver a series of focused patches:

   "In addition to improving the Digest authentication section, I also made
   various other improvements, including expanding the SSL section and moving
   it below Authorization."

So:

Patch #1: Improve the Digest auth section.
Patch #2: Expand the SSL section.
Patch #3: Move the SSL section below Authorization.

If it was me, I'd whip up a little Subversion repository and check in successive copies of the file at I reached each of the above milestones, then create patches from diffs of successive revisions.  (Also known as "really poor man's really poor approximation of DVCS".)  Alternatively, you could just send the first patch and wait for me to apply it before moving on to the next one.  (I'm actively working on the book these days, so you shouldn't suffer any long delays here.)

[Anonymous]

Originally posted by: cmpilato

While you're whipping the SSL section into shape, perhaps you'd consider integrating the comments suggested in issue #72 as well?  (If you do, please let me know so I can give credit to that reporter, too.)  Thanks!

[Anonymous]

Originally posted by: cmpilato

(No comment was entered for this change.)

Summary: ch06: mention 'htdigest' tool when mentioning digest auth

[Anonymous]

Originally posted by: quinntay...@mac.com

Sure thing, here are a pair of diffs for the SSL section.

The first moves the SSL section to below Authentication section and adds a tip to svn.serverconfig.httpd.authn which links to the new section.

The second depends on the first, introduces subsections and improves the description, including a fix for issue #72 (which incorporates and expands on the feedback in that issue).

Since these are unrelated to htdigest, perhaps they should both be related to #72 instead?

- Quinn

[Anonymous]

Originally posted by: quinntay...@mac.com

(No comment was entered for this change.)

[Anonymous]

Originally posted by: cmpilato

Okay, these two patches have been applied and committed (with minor tweaks).  Thanks!  I guess now we need only the digest-related changes, right?

[Anonymous]

Originally posted by: quinntay...@mac.com

I revised my changes related to svn.serverconfig.httpd.authn (including both Basic and Digest authentication) and included a few additional related changes in other sections to improve consistency and readability. Attached is a diff against rev 3897.

There were a few spots which switched to <example> / <programlisting>, but they were inconsistent with the rest of the file, which uses <informalexample> / <screen> for httpd.conf and svnserve.conf configuration.

[Anonymous]

Originally posted by: cmpilato

<programlisting> is more accurate when displaying file contents, where we try to use <screen> for command-line transcripts.  There are inconsistencies of this sort in the source code today, but that's outside the scope of your content improvements.

As with </screen>, </programlisting> should be aligned with column zero of the source code.  (If indented, those spaces are treated as literal contents of the listing.)

Please don't switch formal <example>'s to <informalexample>'s!  Besides losing the ability to caption the example, we lose the ability to reference the example from elsewhere (including the table of contents).  In fact, over time, I'd like to do more of the reverse conversion where it makes sense to do so.

I guess, in summary, maybe you could focus on content changes rather than markup ones?  :-)

[Anonymous]

Originally posted by: quinntay...@mac.com

I figured that <screen> was for command-line I/O, but didn't realize that <programlisting> should be used for all files. I saw that it was used for scripts, but config files are sort of a gray area. I only indented the latter because some instances were already indented. I prefer the look when the closing tag is left-aligned.

I can preserve the <example>'s you've recently added, although to be honest, it seems a bit heavy-handed to caption and reference such examples, particularly in a chapter where there are so many little snippets. Further, all 12 of the other <example> tags in other chapters contain code (e.g. C, Python, bash, .bat) rather than config. It's your call, but personally I think this chapter flows much better with <informalexample>.

Sure, I can focus on content, I was just trying to help improve the markup as I went. :-)

In the spirit of separating markup and content, here is a diff that replaces <screen> with <programlisting> for file contents throughout this chapter.

[Anonymous]

Originally posted by: cmpilato

You are *killing* me with inconsistency 'svn diff' roots, man!  (The typical project recommendation is to perform all diffs from the root of the branch, in this case the /trunk directory itself.)  Still, I appreciate the patches, so this is only a half-complaint. :-)

[Anonymous]

Originally posted by: cmpilato

By the way, I don't recall adding any <example>'s recently.  As you can see near the bottom of http://svnbook.red-bean.com/en/1.0/, the examples from Chapter 6 have been around since the book's beginning.  To be clear, I'm *not* saying we should caption every example -- it's just that there are some (such as the ones already so captioned) which make for useful quick-references for folks not looking to read the whole chapter.

[Anonymous]

Originally posted by: cmpilato

Committed the screen-to-programlisting.diff patch in [r3902], minus the last hunk which, technically, *was* screen output (a transcript of running 'cat' -- sneaky, sneaky, and a prime candidate for <example>-ification, by the way).  Thanks, again!

[Anonymous]

Originally posted by: cmpilato

. o O ( Where, oh where, did Quinn go? )

I'm going to try to manually apply the htdigest-related patch portions.  Wish me luck.

[Anonymous]

Originally posted by: quinntay...@mac.com

Sorry, been working crazy hours for an upcoming product release deadline. My recent patches were submitted while on vacation. :-) I can spare a few minutes later today to get the patch fi zed up if you want to wait.

[Anonymous]

Originally posted by: cmpilato

Actually, I was able to make the htdigest patch apply with some relatively painless hand-editing of the patch file.  Just reviewing the final results now.