|
|
| From: |
Jan Labanowski <jkl %! at !% ccl.net> |
| Date: |
Sun, 16 May 1999 23:52:50 -0400 (EDT) |
| Subject: |
Re: apache server - htpasswd missing |
On Sat, 15 May 1999, Christoph Maerker wrote:
> Universite Louis Pasteur
> Postal-Address: 4, rue Blaise Pascal, F- 67000 Strasbourg FRANCE
> Phone: +33/3-88-41-53-19
> Fax: +33/3-88-60-63-83
> X-Mailer: ELM [version 2.4ME+ PL37 (25)]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
> Content-Length: 181
>
> Hi all,
>
> I've got an apache www server. I want to passwd-protect some dirs,
> but the htpasswd command is missing. How can one create this command, please ?
>
> Best regards,
> Christoph
>
Dear Christoph,
The passwords for the .htaccess mechanism of controlling access to
the directories are created by the same mechanism as for UNIX login,
i.e, /etc/passwd
If you do not have perl installed, you can just change your password
temporarily on the UNIX box by using
passwd
command
and then copy the password to the Web password file.
But this is cumbersome. The UNIX password is created with the crypt
routine. It consists of "seed" (first two characters of password)
and the encrypted password. The seed is composed of letters, digits,
and few other printable characters, and is a parameter (2nd) to the crypt
UNIX routine together with the "open text password" (1st). The crypt routine
returns seed and enctrypted password as a string.
encrypted_password = crypt(open_password, seed);
perl has a crypt function, so you could generate password by just typing this
at UNIX prompt:
perl
print STDOUT crypt("my_open_password", "7x"), "\n";
^D
7xUC7SQVQeS.U
Where, my_open_password, is the password which you want to encrypt,
7x is a seed (or salt, as people call it), ^D stands for CTRL/D, i.e,.
end of transmission ASCII character, i.e, UNIX end of input. The
encrypted password will be 7xUC7SQVQeS.U in this case. While it is
so easy to generate encrypted password, there is no known way to
go from encrypted password to the unencrypted password beside doing
brute force checks and comparison with a dictionary (or guessted
password). Note that a person who knows encrypted password, knows
also the seed. Warning: you should not use the same passwords for
Web and for UNIX log in. UNIX will throw you out after few bad tries
and will make you wait. The Web usually will not punish password
cracking, and it is much easier to crack the Web password (essentially
unlimitted number of tries within short period of time) than the
UNIX password which punishes the wrong entry with a wait period.
Now, assuming that you want to use a script to make an encrypted password,
this will do it for you (save it, and give it x permissions, and
put the right location of perl on the first line). It will also
generate a random seed for you.
----------------- cut and save as make_passwd.pl ------------------
#!/usr/local/bin/perl
# generate encrypted password using the argument given
# Usage: make_passwd.pl password
;at;chars = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/');
$n = $#chars + 1;
$n2 = $n*$n;
$seed = (time - $pid + (-s '/var/log/messages') + 1346235) % $n2;
$seed1 = int($seed / $n);
$seed2 = int($seed % $n);
$salt = $chars[$seed1] . $chars[$seed2];
if($#ARGV == 0) {
$encpasswd = crypt($ARGV[0], $salt);
}
else {
die "Usage: make_passwd.pl plain_text_pass\n";
}
print STDOUT "Encrypted Password = |$encpasswd|\n";
------------------ cut --------------
Example:
make_passwd.pl 'My*Secret'
Encrypted Password = |4v2FWV9S1AbyQ|
Your open password was My*Secret (the example does not imply that this
is the good password, it is actually one of the worst),
and the encrypted password in this case was 4v2FWV9S1AbyQ
(note, the 4v is the seed which program automatically created).
Now, how to protect your directory under Apache?
Assuming that the directories which you want to protect are allowed
in the Apache httpd.conf file to have password protection (e.g., if your
directories are under, say, /web/private as in example below:
AllowOverride Limit AuthConfig Options
AuthType Basic
AuthName private-web
Options ExecCGI
you can protected them easily. In the directory, which you want to protect,
you place the file:
.htaccess
This file allows you to override some options from your httpd.conf
file. For example:
--------------- cut -----------
AuthUserFile /etc/httpd/auth/htpasswd
AuthGroupFile /etc/httpd/auth/htgroup
AuthName "For close friends only"
AuthType Basic
require group myfriends
------------ cut ---------
In the directory /etc/httpd/auth (or whatever you choose, but
do not put it in your Web tree), you create files htpasswd and htgroup
(or whatever names you want to give them). For example:
--------- cut: htpasswd ------------
jim:.lh4hjkcz.lFxE
joe:/wuDR9867DJNE
pipi:d/87ghkRTmIQ
-----------cut -------------------
-------- cut: htgroup -------------
myfriends:jim joe pipi
--------- cut -----------
The stuff which follows colon in httpasswd is encrypted password created
as described above. All files should be world readable.
Have fun, and remember that if you want to really protect stuff
which you serve over the Web, you need to use SSL protocol -- this
simple password protection does not encrypt communications, i.e.,
the passwords and the content. But SSL and ssleay is another story,
and cannot be described in a one-pager, it is slightly more complicated.
Jan K. Labanowski | phone: 614-292-9279, FAX: 614-292-7168
Ohio Supercomputer Center | Internet: jkl (+ at +) ccl.net
1224 Kinnear Rd, | http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163 | http://www.ccl.net/
Raw Message Text
|
