Digest authentication is more secure than Basic authentication, because using digest authentication, your password is never sent across the network in the clear, but is always transmitted as an MD5 digest of the user's password. In this way, the password cannot be determined by sniffing network traffic.

Resources:

Debian 5 Lenny

Apache 2.2.9

Enable mod_auth_digest and disable mod_auth_basic

Apache module auth_digest is not enabled by default, so enable it first:

a2enmod auth_digest

And disable Apache module auth_basic, because you don't need it:

a2dismod auth_basic

Restart Apache:

/etc/init.d/apache2 restart

Create or modify the password file

Create the file to store username, realm and password for digest authentication of users:

htdigest -c passwdfile realm username

Example:

htdigest -c /usr/local/etc/apache/auth SecretArea john

htdigest will ask the desired password, and then ask it again to confirm it.

-c option

-c option create the passwdfile. If passwdfile already exists, it is deleted first and recreated.

Omit the -c flag in order to add new user/realm/password information to an existing passwdfile or modify existing user/realm/password in the passwdfile:

htdigest passwdfile realm username

Example:

htdigest /usr/local/etc/apache/auth SecretArea joe

passwdfile

passwdfile is the name of the file to contain the username, realm and password.

Example passwdfile name and location: /usr/local/etc/apache/auth

You can name passwdfile anyway you want, but place it somewhere outside of the public document directory.

The password is stored in the passwdfile in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file.

chown root:www-data /usr/local/etc/apache/auth
chmod 640 /usr/local/etc/apache/auth

In the passwdfile the datas are stored in the following format: username:realm:encrypted password

Example content of passwdfile:

john:SecretArea:97hhkPTZaoao
john:SalesArea:lkPUoosdf21k
joe:SecretArea:uetzRGh54Lko
mary:SalesArea:tzfgaKKL54po
mary:HRArea:aduURF7KL7hb

As you can see you can set one user to different realms with same or different password.

realm

Each protected area of a website (or a server) is called a realm. The protected area could be a directory (and all its subdirectories) or an individual file.

When the server challenges a client for credentials, it provides the name of the realm so the client can figure out which credentials to send.
The client will pop up a dialogue box for the end-user to complete. This box will display the name of the realm and ask the user for a username and password.

The name of a realm is specified in the passwdfile and in the Apache configuration files with the AuthName directive.

Set the configuration to use the passwdfile

Once you have created a passwdfile, you need to tell Apache about it in order to start using it as a source of authenticated user information.

This configuration is done with the following directives:

AuthType	Authentication type being used. In this case, it will be set to Digest
AuthName	The realm what is defined in the passwdfile.
AuthDigestProvider	The authentication provider for this location. In this case, it will be set to file
AuthUserFile	The location of the passwdfile
Require	The requirement(s) which must be satisfied in order to grant admission

These directives may be placed in a .htaccess file, or may go in the Apache config file ( for example /etc/apache2/sites-available/your-sitename), in a section, or another scope container.

Example Apache config:

AuthType Digest
AuthName "SecretArea"
AuthDigestProvider file
AuthUserFile /usr/local/etc/apache/auth
Require valid-user

The above example defines a realm called "SecretArea". The password file located at /usr/local/etc/apache/auth will be used to verify the user's identity. Only users named john or joe will be granted access, if they provide a password that patches the password stored in the passwdfile. (john and joe are added to realm "SecretArea" in the above example passwdfile - "Example content of passwdfile" section).

The phrase "SecretArea" will be displayed in the password pop-up box, where the user will have to type their credentials.

When the configuration is done, reload Apache:

/etc/init.d/apache2 reload

And test the protected website area.

Read more about mod_auth_digest here and htdigest here