Search the Internet:
Today is: September 7, 2010

About Us
Services
Internet Access
      Residential Dialup
      Business Dialup
      Residential DSL
      Business DSL
Web Hosting
Domain Hosting
Web Site Advertising
Server Co-location
Technical Support
      Forward Your Email
News Briefs
Local Websites
      Business Pages
      Personal Pages
Unofficial FallsCam
TuCows Niagara
Human Resources
Contacting Us
      Sales
      Technical Support
      Billing Support
      Webmaster

User Authentication Tutorial

Introduction

The following document was provided by NCSA as a basis of instruction on Basic User Authentication. The original document may be found at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html.

Apache and NCSA HTTPd allow access restriction based on several criteria:

  • Username/password-level access authorization.
  • Rejection or acceptance of connections based on Internet address of client.
  • A combination of the above two methods.

Tutorial Contents

General Information

Access control for a given directory is controlled by a specific file in the directory with a filename as specified by the server. The default filename is .htaccess Once a .htaccess is placed within a directory the server will parse the file looking for access restriction directives. These directives are explained fulling in the rest of the tutorial.

How Secure Is It?

In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text -- it is "uuencoded." Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

So basically this method of authentication is roughly as safe as telnet-style username and password security -- if you trust your machine to be on the Internet, open to attempts to telnet in by anyone who wants to try, then you have no reason not to trust this method also.

Basic ByPassword Authentication: Step By Step

This should help you set up protection on a directory via the Basic HTTP Authentication method. This method also uses the standard plaintext password file. If you have a large user base, NCSA HTTPd supports a DBM based password file for faster access.

So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie. Here's what to do:

Create a file called .htaccess in directory turkey that looks like this: 


AuthUserFile /otherdir/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require user pumpkin
</Limit>

Note that the password file will be in another directory (/otherdir).

AuthUserFile must be the full Unix pathname of the password file.

Also note that in this case there is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").

AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password, and is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next challenge. Note: You should set this to something, otherwise it will default to ByPassword, which is both non-descriptive and too common.

AuthType should be set to Basic, since we are using Basic HTTP Authentication.

In this example, only the method GET is restricted using the LIMIT directive. To limit other methods (particularly in CGI directories), you can specify them separated by spaces in the LIMIT directive. For example: 

<LIMIT GET POST PUT>
require user pumpkin
</LIMIT>
If you only use GET protection for a CGI script, you may be finding that the REMOTE_USER environment variable is not getting set when using METHOD="POST", obviously because the directory isn't protected against POST.

Create the password file /otherdir/.htpasswd

The easiest way to do this is to use the htpasswd program located on the ICN server. Do this: 


htpasswd -c /otherdir/.htpasswd pumpkin

Type the password -- pie -- twice as instructed.

Check the resulting file to get a warm feeling of self-satisfaction; it should look like this: 


pumpkin:y1ia3tjWkhCK2

That's all. Now try to access a file in directory turkey -- your browser should demand a username and password, and not give you access to the file if you don't enter pumpkin and pie. If you are using a browser that doesn't handle authentication, you will not be able to access the document at all.

Multiple Usernames/Passwords

If you want to give access to a directory to more than one username/password pair, follow the same steps as for a single username/password with the following additions:

Add additional users to the directory's .htpasswd file.

Use the htpasswd command without the -c flag to add additional users; e.g.: 


htpasswd /otherdir/.htpasswd peanuts
htpasswd /otherdir/.htpasswd almonds
htpasswd /otherdir/.htpasswd walnuts

Create a group file.

Call it /otherdir/.htgroup and have it look something like this: 


my-users: pumpkin peanuts almonds walnuts

... where pumpkin, peanuts, almonds, and walnuts are the usernames.

Then modify the .htaccess file in the directory to look like this: 


AuthUserFile /otherdir/.htpasswd
AuthGroupFile /otherdir/.htgroup
AuthName ByPassword
AuthType Basic

<Limit GET>
require group my-users
</Limit>

Note that AuthGroupFile now points to your group file and that group my-users (rather than individual user pumpkin) is now required for access.

That's it. Now any user in group my-users can use his/her individual username and password to gain access to directory turkey.

Prepared Examples

Following are several examples of the range of access authorization capabilities available through Mosaic and NCSA HTTPd. The examples are served from a system at NCSA.

Simple protection by password.

This document is accessible only to user fido with password bones.

Important Note: There is no correspondence between usernames and passwords on specific Unix systems (e.g. in an /etc/passwd file) and usernames and passwords in the authentication schemes we're discussing for use in the Web. As illustrated in the examples, Web-based authentication uses similar but wholly distinct password files; a user need never have an actual account on a given Unix system in order to be validated for access to files being served from that system and protected with HTTP-based authentication.

Protection by password; multiple users allowed.

This document is accessible to user rover with password bacon and user jumpy with password kibbles.

Protection by network domain.

This document is only accessible to clients running on machines inside domain ncsa.uiuc.edu.

Note for non-NCSA readers: The .htaccess file used in this case is as follows: 


AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleAllowFromICN
AuthType Basic

<Limit GET>
order deny,allow
deny from all
allow from .niagara.com
</Limit>

Protection by network domain -- exclusion.

This document is accessible to clients running on machines anywhere but inside domain ncsa.uiuc.edu.

Note for readers: The .htaccess file used in this case is as follows: 


AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ExampleDenyFromNCSA
AuthType Basic

<Limit GET>
order allow,deny
allow from all
deny from .ncsa.uiuc.edu
</Limit>

(c) 1994-2003 1174752 Ontario Inc. o/a Niagara.com All Rights Reserved
39 Queen Street Suite 406, St. Catharines, ON, L2R 5G6 (905) 988-9909
Information regarding services please contact sales@niagara.com
Site information webmaster@niagara.com

Under no circumstances can this page or its contents be duplicated.