WebDAV authentication scheme support

Looking at our server error logs, it appears that odrive only supports the WebDAV Basic authentication scheme. This is unfortunate, as the username and password are sent as cleartext unless the WebDAV server forces an https connection. The “Require valid SSL certificate” option in the odrive connection setup mitigates the risk to some extent, but I hesitate to count on all users making sure it is checked. Non-business users may also have problems, if they are connecting to a NAS or other device without a valid cert.

A solution has been available for almost 20 years - Digest authentication, which uses hashes rather than the password itself. NTLM authentication is better still since it adds encryption to the mix. Adding the option of using something other than Basic authentication for WebDAV shares would improve security.

Hmm… this is odd because we do support digest auth. When you attempt to use digest is it throwing an error? Going to run a few tests on our QA WebDAV instance now.

Apache throws the following error:
[auth_digest:error] [pid 14216] [client xxx.xxx.xxx.xxx:xxxxx] AH01781: client used wrong authentication scheme 'Basic': /<Location>

This is expected since we probe basic first, then switch to digest if that fails. Can you see if another PROPFIND request is performed after that error in the Apache access logs?

I just tested on our Apache WebDAV server with digest and it is working as expected.


Right you are. A PROPFIND appeared in the domain log for each access.

Could odrive default to trying NTLM or digest auth if the “Require valid SSL certificate” option is not checked?

:slight_smile: After testing this earlier I submitted a change request to always default to digest with a fallback to basic.

Is digest working for you now, or are you still having issues?

DIgest works fine. Odrive managed to sync WebDAV folders. I just was not smart enough to check the main Apache logs to figure out what occurred after the initial Basic auth attempt.

1 Like