Apache .htaccess Auth

[vesa kortelainen]

Hey,

With Apache you can use .htaccess to control folder access and many other things.. Here's basic conf for folder protection.[script]
AuthUserFile /usr/home/vesa/.htpasswd
AuthGroupFile /dev/null
AuthName Somewhere Neat
AuthType Basic

<Limit GET POST>
require user vesa
</Limit>[/script]

All the tutorial say that i have use that "htpasswd" App to create a password-file, I know where that Exe exists in Win/Linux but my current server is Linux and I don't have idea how to run it.. Because I think i can only FTP my server..

So my Question is ,can I create manually that htpassword-file (just use notepad and update the file to server) ?

[Andries Seutens]

As far as I know you cannot do this: the htpasswd file is encoded....

there is a way to get http header autentication working with a MySql database, this way you can work with users in a database; much easier.

[bpat1434]

Hey Vesa.


Andries is not 100% correct.  The htpasswd is just a regular file with md5 encoded material.

The htpasswd file is constructed as this:

UserName:md5EncryptedPassword

So, a user like b.patterson with password pass123 would look like this:

b.patterson:01u7Qm4Go9sfU
or
b.patterson:LYcin7ATlwGF2
or
b.patterson:a.UrbZLpfJmCs

Three different site, 3 different password encodings.  You must make sure that you keep your passwords uniform.  By that I mean if you don't use the md5 encryptor on your server and use an external one, make sure you use the same one every time.

The links are to the places that generate the .htpasswd lines.  They all work, and they all have support.

I hope this helps Vesa.

~Brett

md5 on Apache
Have you tried looking on Apache's homepage on how to do it?  I found a lot of info on tags, and how to add a line using their encryption.  You might want to check it out;
http://httpd.apache.org/docs-2.0/programs/htpasswd.html[/URL

As far as I know, md5 is really not something that is a security issue and can be accessed from any account through command-line interface (like adding the a passwd line through php code).

~Brett

[Andries Seutens]

What did i say wrong?

[bpat1434]

Because the .htpasswd file is not encoded.  All it is is ASCII characters.  If it were encoded then it wouldn't be easily manipulated.  I'm not saying your wrong, just your statement is misleading.

~Brett

[Andries Seutens]

the password is MD5 encoded (encrypted)  

[bpat1434]

This i know.  But what you said was that the file was encrypted implying that the entire .htpasswd file was encrypted rather than just the password.  Whatever.  Vesa got two answers that will suffice.  I'm done arguing cuz I was led to believe something that you did not want to convey.  I apologize.

~Brett

[vesa kortelainen]

thanks guys,

I solved this time ago with friend of mine and some google browsing.

[ShilohWarrior]

...

IE installed a security patch on their browser that does not allow you to access or login via url like so:

header("Location: http://user:pass@url.com/directory");

Or at least it does not work for me or my partner. So I was wondering how could you login without using the defualt htaccess login pop up? Maybe post variables or what?

[Musicman]

Hi,

that "pour the baby with the bath" type patch does not prevent http login but putting certain things, including login, into an urll.
You can still visit a website and fill in the browser's auth dialog, but you can no longer obtain login data from the server in a semi-hidden way and send them back via an url.

Musicman

[ShilohWarrior]

so what your saying there is no way to login to .htaccess without using the browser login dialog?

[vesa kortelainen]

i think it's only way to log-in to htaccess protected content (using the browser login dialog)

[ShilohWarrior]

well that sux. DIE IE

[vesa kortelainen]

You got it wrong, it's not IE's fault, it just how the auth-thing has built to work with current browsers, see
How basic authentication works

[Musicman]

Hi,

to put things into perspective: the auth thingy is ages old (and shares one security problem with many systems, including asp and php forms: the actual user data can be sniffed on a successful login)
There has been an agreement among software makers (both major browsers, and a lot of non-browser web software) to support the user/pass as part of the url (I am not sure whether this is backed by a standard, or just common practice)
A few sites (the technique is not that widespread) used this for stuff like a "nice" form (the credentials are verified on the server, and if they match, a suitable url is generated) or "visit our ftp server" (where the url contains the login data of a restricted user, but with access better than anonymous)
It should be clear that this technique is no more secure than typing in the password itself - it is more a design and convenience feature.. Everyone can "view source" to find the special url and hence the access details
.
Said recent "security fix" by that one browser maker has closed a few security holes but also killed this technique ... websites that made use of it have the option of redesigning or putting up a big "please use a real browser like nozilla, opera, ...." warning on their sites. It is causing some annoyance.
Time will tell whether the security fix indeed helps on the issue it was trying to solve

Now for those affected - if at all possible, swith to php forms based authentication (please do not use a mix of server auth and php auth because it is really fragile) and get rid of browser auth.
The benefits: you can log out with a script based auth but not with http authentication
you can implement idle timers or like
the disadvantage: if you want to protect mostly media content, you need to deliver it through scripts .... this will put higher load on the server than straight file access

Musicman