Securing Your Web Server, Part 3

By Chuck Musciano, Unix Insider |  Security, Network access control

Keep in mind that you can mix and match all the directives in a
<limit> directive. Thus, you can use password
protection and domain protection together:

     AuthUserFile /someplace/else/htpasswd
     AuthGroupFile /someplace/else/htgroup
     AuthName Stooges
     AuthType Basic

     <limit>
     order deny, allow
     deny from all
     allow from .mycompany.com
     require group stooges
     </limit>

For this directory, users must not only offer up the name of a stooge
and a valid password, they must also be connecting from a machine within
the mycompany.com domain.

Web passwords & Unix passwords

An important point to remember is that, although they look and operate
in a similar manner, there is no connection between Web user names and
passwords and Unix user names and passwords. It is a common
misconception among novice webmasters that a user must have an account
on the Web server before they can take advantage of password
authentication. This is completely false. You can define thousands of
Web users in your htpasswd file without ever creating a
single extra Unix account.

That said, you should know that the password encryption scheme used
by htpasswd is the Unix password encryption algorithm. This
means that you can create entries in your htpasswdfile by
cutting and pasting the first two fields of any entry in your Unix
password file into your htpasswd file. This is really
convenient if you are creating a secure directory intended for use only
by the users on a machine; you can set up the password protection by
copying entries from the Unix password file to your
htpasswd file and tell your users to use the same user
name and password that they use to log onto the machine. Of course, if
a user changes their Unix password, the corresponding Web password will
not be changed automatically.

Next month

This concludes our three-part series on server security. Hopefully,
you've been implementing all this as we've gone along and now have
a secure server, safe from prying eyes and delivering documents only to
those who are intended to see them. If you'd like to see more detailed
information on password protection, visit the
NCSA
User Authentication Tutorial.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

convert flash swf to mp4
1 answer
Why does an object inserted in a Word document move when I edit the text?
0 answers
Will the acquisition of MakerBot by Stratasys speed consumer market penetration of 3D printing?
0 answers
More questions
Ask a Question