HTTP Authentication in Apache

From Zanecorpwiki

Jump to: navigation, search

HTTP authentication is a component of the HTTP protocol requiring authentication at the HTTP protocol level. This makes it very easy to use Apache to quickly and comprehensively protect content. For practical purposes, this approach is ideally suited when entire directories of information need protection.

Be aware that the authentication protocol is not itself secure in-so-far as it sends passwords in plain text. This is not a problem so long as an SSL (HTTPS) connection is employed to the server. Non-SSL connections are practically useful for cutting down nuisance and casual access, but should not be considered secure. 

<Directory /the/directory/to/protect>
  AuthType Basic
  AuthName Name That Will Show Up in the Password Dialog
  AuthUserFile /home/user/build/ymake/modules/apache/conf/passwd
  Order deny,allow
  Require valid-user
  SSLRequireSSL
</Directory>

The 'Require' directive defines who can access the site. 'valid-user' means that any user defined in the 'AuthUserFile' can access the content. It is also possible to list specific users as named in the file: 

Require user username1 nowiki[username2]/nowiki

Or create groups and require group membership: 

 AuthGroupFile /home/user/build/ymake/modules/apache/conf/groups
 Require group group1 nowiki[group2]/nowiki

When there are sets of users requiring access to multiple sets of protected data, the user and group requirements can be useful. If the user sets are disjoint, it may be easiest/best to employ separate passwd files for each set of users, in which case one would still use 'vaild-user' as the access requirement.

To create the password file with user 'user1', from the apache home simply run: 

./bin/htpasswd -s -c ./conf/passwd user1

To add another user or update an existing user's password, simply type: 

./bin/htpasswd -s ./conf/passwd user2

To remove a user: 

./bin/htpasswd -D ./conf/passwd user2

The '-s' option specifies SHA encryption. This is important because there's a known weakness in htpasswd's implementation of the CRYPT (default) and MD5 encryption schemes.

The location of the apache home and standard place for the passwd and group files assumes apache was installed according to ymake standards.

References

info on htpasswd salt weakness

Retrieved from "http://www.zanecorp.com/wiki/index.php/HTTP_Authentication_in_Apache"
Personal tools
NEW CHANGED