|
|
 Parent Directory
| HOWTO - htpasswd
Brett Lee
=============================================================================
* Table of Contents *
A. OVERVIEW OF FINDINGS
B. CONFIGURATION
C. TESTING
D. UPDATING htpasswd / htaccess
***********************************************************************
For online information, you may want to look at:
NASA:
http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
or:
http://www.dnai.com/helpdesk/publishing/yourwebsite/htpasswd.html
***********************************************************************
A. OVERVIEW OF FINDINGS
***********************
This method of limiting access to files appears to be reasonably secure.
There are two steps to setting up Password authentication via Apache.
Additionally, when I installed this on Red Hat Linux 6.0, it did not run
immediatly. There were some configuration changes that needed to made
to the Apache files. But, once these changes were made, it ran smooth.
The only down side I could see was that it protected a whole directory,
but problems associated with that are, in most cases, trivial.
Anther method to accomplish this would involve running a Perl script from a
server. Yes, you can even do it with client side Javascript, but it sucks.
B. CONFIGURATION
*****************
NOTE: We assume that the following lines are in your httpd.conf file:
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
Back to our configuration...
The two things to do:
1. Make a configuration file (.htaccess) in the directory to be protected.
2. Make at least one password file someplace (can do more if desired).
The .htaccess file should contain basic information including location of
the controlling password file and what users are allowed. I changed the file
permissions to "644" so that it was world readable.
Here are two samples:
Sample 1
-----------------
AuthUserFile /home/brett/.htpasswd # FULL PATH to password file
AuthGroupFile /dev/null # groups not used
AuthName TopSecretWork # title
AuthType Basic # type
require valid-user # NOTICE # allow all users with a valid id
<Limit GET>
order deny,allow
allow from all
</Limit>
Sample 2
------------------
AuthUserFile /home/brett/.htpasswd # location of password file
AuthGroupFile /dev/null # groups not used
AuthName NearlyTopSecretWork # title
AuthType Basic # type
<Limit GET>
require user brett elvis # NOTICE # only brett or elvis are allowed in
</Limit>
STEP 2 - .htpasswd
Change to the directory where the password file will be kept
and create the file. It only need to be created once (of course). After
that, the command to edit it is slightly different.
htpasswd -c .htpasswd brett # This line creates a new file and adds brett
htpasswd .htpasswd elvis # This line updates the file and adds elvis
STEP 3 - AllowOverride
From: httpd.conf
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
Typically, directories are setup with "AllowOverride None", therefore
you need to setup your directory to allow override. Like this:
<Directory /data/photos>
Options FollowSymLinks Indexes Includes
# Required for .htaccess
AllowOverride All
</Directory>
C. TESTING / DEBUGGING
**************************
To test it, simple try to access it from a browser. If you have luck like me,
it won't work the first time. However, after editing the configuration files
and restarting the server it worked properly. Red Hat 6.0 uses access.conf,
srm.conf and httpd.conf configuration files, so to make the necessary
changes to the configuration files I edited the srm.conf and added the following
lines after the "AccessFileName" entry:
AccessConfig /dev/null
ResourceConfig /dev/null
Don't forget to restart the server...
D. UPDATING htpasswd / htaccess
********************************
It seems that once a user enters a valid username / password, they are not
prompted each time. Instead, these key:value pairs are stored and used each
time there is a request for authorization. However, the admin can still
limit access to a directory by changing passwords or deleting the user from the
.htpasswd file.
Good Luck!
-Brett
|
|
|
|
|
|
|
|
![[ Statistics by AWStats ]](/local_icons/LAMP/awstats_logo.png)
|
|
|
|
|
|
|
In an effort to provide a service of value to the open source community, I've put together this website that containing many of my notes and references.
This website is not authoritative and it is certainly not without errors; it is a work in progress.
In addition to my contributions you will also find the work of others. Where the work is not mine, I have tried to indicate that, and to reference the source of the work: by citing the original author, retaining the authors' name and license wherever present, or by placing the work in a suitably named URL containg /external/ in the path. If you find any work here that should not be publically available, please send me a note and it will be removed.
As for my contributions, you are free to use any of *MY* notes or code from this website unless specifically instructed otherwise.
Brett Lee, Ph.D., President & CEO
Everything Penguin, Inc.
|
|
|
![[ Powered by Red Hat Linux ]](/local_icons/LAMP/redhat_pb.gif){kind=icon}
![[ Powered by Apache Server]](/local_icons/LAMP/apache_pb.gif){kind=icon}
![[ Powered by MySQL ]](/local_icons/LAMP/mysql_pb.gif){kind=icon}