authelia/docs/content/en/configuration/first-factor/file.md

115 lines
4.1 KiB
Markdown
Raw Normal View History

---
title: "File"
description: "File"
lead: "Authelia supports a file based first factor user provider. This section describes configuring this."
date: 2022-03-20T12:52:27+11:00
draft: false
images: []
menu:
configuration:
parent: "first-factor"
weight: 102300
toc: true
aliases:
- /docs/configuration/authentication/file.html
---
## Configuration
```yaml
authentication_backend:
file:
path: /config/users.yml
password:
algorithm: argon2id
iterations: 3
key_length: 32
salt_length: 16
parallelism: 4
memory: 64
```
## Options
### path
{{< confkey type="string" required="yes" >}}
The path to the file with the user details list. Supported file types are:
* [YAML File](../../reference/guides/passwords.md#yaml-format)
### password
#### algorithm
{{< confkey type="string" default="argon2id" required="no" >}}
Controls the hashing algorithm used for hashing new passwords. Value must be one of:
* `argon2id` for the [Argon2] `id` variant
* `sha512` for the [SHA Crypt] `SHA512` variant
#### iterations
{{< confkey type="integer" required="no" >}}
Controls the number of hashing iterations done by the other hashing settings ([Argon2] parameter `t`, [SHA Crypt]
parameter `rounds`). This affects the effective cost of hashing.
| Algorithm | Minimum | Default | Recommended |
|:---------:|:-------:|:-------:|:------------------------------------------------------------------------------------------:|
| argon2id | 1 | 3 | [See Recommendations](../../reference/guides/passwords.md#recommended-parameters-argon2id) |
| sha512 | 1000 | 50000 | [See Recommendations](../../reference/guides/passwords.md#recommended-parameters-sha512) |
#### key_length
{{< confkey type="integer" default="32" required="no" >}}
*__Important:__ This setting is specific to the `argon2id` algorithm and unused with the `sha512` algorithm.*
Sets the key length of the [Argon2] hash output. The minimum value is `16` with the recommended value of `32` being set
as the default.
#### salt_length
{{< confkey type="integer" default="16" required="no" >}}
Controls the length of the random salt added to each password before hashing. There is not a compelling reason to have
this set to anything other than `16`, however the minimum is `8` with the recommended value of `16` being set as the
default.
#### parallelism
{{< confkey type="integer" default="4" required="no" >}}
*__Important:__ This setting is specific to the `argon2id` algorithm and unused with the `sha512` algorithm.*
Sets the number of threads used by [Argon2] when hashing passwords ([Argon2] parameter `p`). The minimum value is `1`
with the recommended value of `4` being set as the default. This affects the effective cost of hashing.
#### memory
{{< confkey type="integer" default="64" required="no" >}}
*__Important:__ This setting is specific to the `argon2id` algorithm and unused with the `sha512` algorithm.*
Sets the amount of memory in megabytes allocated to a single password hashing calculation ([Argon2] parameter `m`). This
affects the effective cost of hashing.
This memory is released by go after the hashing process completes, however the operating system may not reclaim the
memory until a later time such as when the system is experiencing memory pressure which may cause the appearance of more
memory being in use than Authelia is actually actively using. Authelia will typically reuse this memory if it has not be
reclaimed as long as another hashing calculation is not still utilizing it.
## Reference
A [reference guide](../../reference/guides/passwords.md) exists specifically for choosing password hashing values. This
section contains far more information than is practical to include in this configuration document. See the
[Passwords Reference Guide](../../reference/guides/passwords.md) for more information.
This guide contains examples such as the [User / Password File](../../reference/guides/passwords.md#user--password-file).
[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html
[SHA Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt