[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Password-protected dir's

Subject: Re: [cobalt-users] Password-protected dir's
From: John Rood <john@xxxxxxxxx>
Date: Tue Jul 25 03:59:32 2000

On Mon, 24 Jul 2000, Daren Cotter wrote:

> Hello all,
> 
> I'm trying to setup a password-protected directory on a RaQ3. I created an
> .htaccess and .htpasswd file, doing everything correctly (I've included
> all
> the steps I took below). When I try to access this directory from the web,
> I
> am prompted for a user/pass, but none of the users/passes I've created
> work.
> The RaQ is running the ChiliSoft Interpreter, I thought that might have
> something to do with the problem. Has anyone else encountered this before?
> 
> STEPS TAKEN:
> 
> 1) Created directory "employees"
> 2) Created .htaccess file in "employees" with this text:
> 
> AuthUserFile /home/sites/www.domainname.com/web/employees/.htpasswd
> AuthGroupFile /dev/null
> AuthName EmployeesOnly
> AuthType Basic
> 
> <Limit GET>
> require user daren
> require user daren2
> </Limit>
> 
> 3) Created .htpasswd file by first using the command:
> 
> /usr/sbin/htpasswd -c
> /home/sites/www.domainname.com/web/employees/.htpasswd daren
> 
> Then,
> 
> /usr/sbin/htpasswd /home/sites/www.domain.com/web/employees/.htpasswd
> daren2
> 
> Entering "test" as the password for both users. When I connect to the site
> (http://www.domain.com/employees/index.html) I am prompted for a
> user/pass,
> but neither of the users/passwords I've created work.

Hi Daren,

You're on the right track here, but a couple of things. First of all,
apache on a raq (maye on others aswell) uses mod_auth_pam. This pam module
authenticates people against the systems' users, not the passwd files you
create. The downside of this module is that it's always 'on' and this
results in not getting access (well, it'll work if you login as a user
that's know on the cobalt). If you add AuthPAM_Enabled off to your
.htaccess it'll turn off pam authentication and use 'regular' style
authentication. Another way aroudn this is enabling a fall through in you
rapache config so it'll check with other authentication methods if pam
can't find the user. This allows you to combine pam authentication with
normal .htaccess behaviour. Just add AuthPAM_FallThrough on to your
srm.conf.

Secondly, you're sticking your .htpasswd files within your web tree. This
isn't a good thing to do. this way, an authenticated user can grab the
file and can use brute force cracking techniques on the passwd file to get
more accoutn information. This is due to a small error in the raq's apache
configuration. If you look at your access.conf, you'll find a bunch of
lines like:

# ignore .files
#<Files "\.*">
#deny from all
#</Files>

Change this to

# ignore .files
<Files "\.*">
deny from all
</Files>

And you're safe. But it's still wise to keep the passwd file outside the
accessable webtree, so stick it in /home/sites/www.domain.com/ or so.

Best regards,
John

--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
John C. Rood
UNIX programmer/Database developer/System administrator
SFARC Networks, The Netherlands - http://www.sfarc.net

References:
- [cobalt-users] Password-protected dir's
  - From: Daren Cotter

Prev by Date: Re: [cobalt-users] GUI Changing
Next by Date: Re: [cobalt-users] php write_access
Previous by thread: [cobalt-users] Password-protected dir's
Next by thread: [cobalt-users] Migrate from RaQ3 --> RaQ4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index