Add support for HTTP Digest Access Authentication

[neirbowj]

In the interests of defense-in-depth, this feature request is for "Digest Auth" on the front end of the server so that the user's password is never sent to the server. This would limit exposure of secrets in the event that a client is tricked into connecting to an inauthentic server, as might happen on a network with a captive portal or transparent proxy, not to mention various attack scenarios. While there are known effective attacks against Digest Auth, it is a significant improvement over Basic Auth. My hope is that this request might focus attention on architecture work that will pave the way to stronger front-end authentication protocols in the future.

Thank you for your kind attention and your contributions to the world of free, open source software.

[pbiering]

this requires cleartext passwords on server side and they need to be protected by a master password then: https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html

[neirbowj]

@pbiering, thank you for your attention to this feature request.

I'm having trouble understanding what the label, need support, means. The list of labels includes no description for it. Is there something I could do to help?

[pbiering]

@neirbowj, updated some label decription, in this case contribution is required by others to implement support of the feature, it would need

• code extension to handle DigestAuthentication
• starting with insecure implementation using cleartext password from htpasswd file
• finally add support of a master secret(s) in configuration, which imho requires also a cli tool to manage - for storing one can think of using a special prefix for htpasswd file like e.g.

exampleuser:{ENC/KEY/<number>}<base64-encoded cryptogram>