web:password-protected:authsys:start
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| web:password-protected:authsys:start [2017/01/25 11:17] – created seela | web:password-protected:authsys:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ======Authentication By System and User-Defined Usernames and Passwords or Groups | ||
| - | \\ | ||
| - | \\ | ||
| - | Authentication By System and User-Defined Usernames and Passwords or Groups | ||
| - | Sometimes, it is necessary to authenticate by system usernames and passwords or groups along with a few additional user-defined usernames and passwords or groups. This can be setup by like this: | ||
| - | |||
| - | Create a password file that will contain the user-defined usernames and passwords for the protected area using the htpasswd(1) command. If the file does not exist, you can use the " | ||
| - | htpasswd -c / | ||
| - | |||
| - | This would prompt you to create a web password for user " | ||
| - | |||
| - | htpasswd | ||
| - | |||
| - | The password file should not be located in a directory that is served by the webserver. However, it must be a file that the webserver has permission to access. | ||
| - | |||
| - | Ensure that the web server can read the password file. For example: | ||
| - | |||
| - | chmod o+x / | ||
| - | chmod o+x / | ||
| - | chmod o+r / | ||
| - | |||
| - | CAUTION: Other users on the system will also be able to read the password file. The passwords are encrypted, but this does not mean they are safe. | ||
| - | If you would like to authenticate based on user-defined groups, you must create a group file (eg. / | ||
| - | |||
| - | students: joe sally | ||
| - | faculty: bob ruth | ||
| - | everyone: joe sally bob ruth | ||
| - | |||
| - | Here, users joe and sally are in the students group, users bob and ruth are in the faculty group, and everyone is in the everyone group. | ||
| - | If you created a groups file above, ensure that the web server can read the file like this: | ||
| - | |||
| - | chmod o+x / | ||
| - | chmod o+x / | ||
| - | chmod o+r / | ||
| - | |||
| - | CAUTION: Other users on the system will also be able to read the groups file. | ||
| - | In the directory you wish to protect, create a .htaccess file with the following contents: | ||
| - | |||
| - | SSLRequireSSL | ||
| - | AuthType Basic | ||
| - | AuthName "Name of Web Area You Are Protecting" | ||
| - | AuthBasicProvider file pam | ||
| - | AuthUserFile / | ||
| - | If you will be authenticating based on user-defined groups and system groups, add: | ||
| - | |||
| - | AuthzUnixgroup on | ||
| - | AuthGroupFile / | ||
| - | AuthzUnixgroupAuthoritative off | ||
| - | |||
| - | If you wish to restrict access to specific system groups OR user-defined groups, add for each group: | ||
| - | |||
| - | Require group < | ||
| - | If you wish to restrict access to user-defined or system accounts, add: | ||
| - | |||
| - | AuthzGroupFileAuthoritative off | ||
| - | |||
| - | If you wish to restrict access to any user-defined or system account, add: | ||
| - | |||
| - | Require valid-user | ||
| - | |||
| - | If you wish to restrict access to specific system accounts OR user-defined accounts, add for each user: | ||
| - | |||
| - | Require user < | ||
| - | |||
| - | You can use as many " | ||
| - | |||
| - | If you use both " | ||
| - | |||
| - | Check file permissions on your .htaccess file and directory permissions on all directories leading up to your .htaccess file. | ||
| - | |||
| - | At a minimum, your .htaccess file must be readable by the web server, which runs as user " | ||
| - | |||
| - | chmod o+r .htaccess | ||
| - | |||
| - | CAUTION: This will enable other users on the system to also read your .htaccess file. | ||
| - | |||
| - | You will also need to ensure that all directories up to your .htaccess file are accessible by the web server. For example, if your .htaccess file is / | ||
| - | |||
| - | chmod o+x / | ||
| - | chmod o+x / | ||
| - | |||
| - | In order to better protect system usernames and passwords, the SSLRequireSSL directive in your .htaccess file only permits access to PAM authentication over https. Please DO NOT remove this directive. Access a secure web site, / | ||
| - | |||
| - | https:// | ||
| - | |||
| - | ... and not like this: | ||
| - | |||
| - | http:// | ||
| - | |||
| - | Note: Access to your secure page over http will yield a " | ||
| - | (optional) If you would like to automatically redirect http accesses to your page to the secure https version, add the following code to the .htaccess file that is in the directory above the one you are protecting: | ||
| - | |||
| - | ErrorDocument 403 / | ||
| - | |||
| - | That is, if you are protecting / | ||
| - | |||
| - | This code takes advantage of the fact that an error 403 (Forbidden) is produced when a user accesses your secure page via http. It redefines the error handler for " | ||
| - | |||
| - | Notes: | ||
| - | |||
| - | Access to your web page for user-defined accounts will be slower since every request will attempt to authenticate first against a system username, fail, and then against the user-defined username. | ||
| - | |||
| - | A utility, mkhtaccess is available for helping your build your .htaccess file. See the mkhtaccess page for details. | ||
| - | |||
| - | Full details on Apache authentication can be found in the Apache authentication documentation. | ||
| - | |||
| - | Always be careful when using your system username and password for accessing web pages. Only use it on sites that you trust. | ||
web/password-protected/authsys/start.1485361062.txt.gz · Last modified: 2017/01/25 11:17 by seela