Securing Your Web Server, Part 3

By Chuck Musciano, Unix Insider |  Security, Network access control

The httpd password model closely parallels the Unix password
scheme. That is, you can define individual users who are given access
to a set of documents, and you can define groups of users to be granted
access. Two files, one containing the users and another containing the
groups, are needed for each directory you want to protect.

A simple example

The easiest way to see how password protection works is to look at a
simple example.

Suppose we have a directory whose contents are to be restricted to three
users: larry, curly, and moe. As a first step, within this directory,
create a .htaccess file that looks like this:

     AuthUserFile /someplace/else/htpasswd
     AuthGroupFile /dev/null
     AuthName Stooges
     AuthType Basic

     <limit>
     require user larry curly moe 
     </limit>

Yikes! What does all this mean? Don't panic; it all makes sense:


  • The AuthUserFile is the full pathname of the file
    containing the password entries for your
    authorized users. You should keep this file in some directory other
    than the document directory; otherwise, someone could download your
    password file and attempt to crack your passwords. We'll see how to
    create this file a little later.



  • The AuthGroupFile is not needed nere, so we set it to
    /dev/null.



  • The AuthName defines the name of the security
    realm for these documents. This name may be presented to the
    user by the browser when they are prompted for the password, and it is
    often cached by the browser so that a user need not be prompted more
    than once for the same password for other documents in the same realm.
    Use some name that indicates to the user the scope of these documents.



  • The AuthType defines the type of authentication being
    performed. Depending on your server, you may have many choices. The
    most common and widely supported is Basic.

Once this file is in place, any reference to a document in this
directory will cause the user to be prompted for a password. The user
will enter a user name and password, which will be sent to the server.
The server will see if the username is defined the
AuthUserFile, verify that the password is correct, and
finally check to make sure that the user name is either "larry",
"curly", or "moe". If all three tests succeed, the user is granted
access.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question