1

In Apache 2.4, When using both mod_autoindex and mod_auth_basic on a directory, the indexing of that directory causes mod_auth_basic to perform a password hash and lookup from scratch once for every single file/subdirectory in the directory.

If using a string password storage hash like high-cost bcrypy, this can cause huge delays. Moreover, this behavior is unnecessary, since all files are under the same authentication settings, and so the user and groups need only be confirmed once. Confirming multiple times dramatically and artificially increases the local cost of strong password hashing with no security benifit, greatly reducing overall security by forcing the use of lower cost algorithms.

My question is: How can I inhibit this behavior?

How can I make mod_autoindex make only a single call to the password authentication library?

Here's an example which has the problem:

<VirtualHost *:443>

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/mycert.crt
    SSLCertificateKeyFile /etc/apache2/ssl/mykey.key

    <Directory "/webdata/doc">

        AuthType basic
        AuthName "Safe Documents"
        AuthBasicProvider file
        AuthUserFile passwd/docuemnts_users.passwd
        require valid-user
        Options +Indexes

    </Directory>

</VirtualHost>
Pi Marillion
  • 131
  • 2

1 Answers1

0

Following the Apache httpd request handling code, that does not seem to be the case. If I'm reading it right, the authentication/authorization is done once for the main request.

The mod_autoindex module will work in the output chain to generate the content, once it has been authorized to so. The only authorization-like code in mod_autoindex.c is to check if it's allowed to generate the index or not.

If you've profiled the code with debugging symbols and everything, please post your findings.

gtirloni
  • 5,746
  • 3
  • 25
  • 52
  • What I did was set up an account with a bcrypt password hash which takes 1.02 seconds to compute on my system (Ubuntu 14.04), and then check how long loading different directories takes over firefox (just the ping on the page, not other content like images). What I found was that the time taken is 1 second for any static file or CGI script, but (1 + n) seconds for directories, where n is the number of items listed in the directory. This seemed rather conclusive, especially because it was repeatable for different bcrypt hash times. – Pi Marillion Sep 09 '14 at 21:53
  • I can only think this is a bug because it's totally unnecessary to check the hash for each directory entry, if no access was attempted. Perhaps you could file a bug report http://httpd.apache.org/bug_report.html – gtirloni Sep 10 '14 at 11:26