From chemistry-request -AatT- server.ccl.net Sun May 16 23:57:11 1999 Received: from ccl.net (atlantis.ccl.net [192.148.249.4]) by server.ccl.net (8.8.7/8.8.7) with ESMTP id XAA29285 for ; Sun, 16 May 1999 23:57:11 -0400 Received: from krakow.ccl.net (krakow.ccl.net [192.148.249.195]) by ccl.net (8.8.6/8.8.6/OSC 1.1) with ESMTP id XAA03472; Sun, 16 May 1999 23:52:51 -0400 (EDT) Date: Sun, 16 May 1999 23:52:50 -0400 (EDT) From: Jan Labanowski To: Christoph Maerker cc: chemistry[ AT ]ccl.net, Jan Labanowski Subject: Re: apache server - htpasswd missing In-Reply-To: <199905151641.SAA04271 (- at -) chris2.u-strasbg.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sat, 15 May 1999, Christoph Maerker wrote: > Universite Louis Pasteur > Postal-Address: 4, rue Blaise Pascal, F- 67000 Strasbourg FRANCE > Phone: +33/3-88-41-53-19 > Fax: +33/3-88-60-63-83 > X-Mailer: ELM [version 2.4ME+ PL37 (25)] > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII > Content-Transfer-Encoding: 7bit > Content-Length: 181 > > Hi all, > > I've got an apache www server. I want to passwd-protect some dirs, > but the htpasswd command is missing. How can one create this command, please ? > > Best regards, > Christoph > Dear Christoph, The passwords for the .htaccess mechanism of controlling access to the directories are created by the same mechanism as for UNIX login, i.e, /etc/passwd If you do not have perl installed, you can just change your password temporarily on the UNIX box by using passwd command and then copy the password to the Web password file. But this is cumbersome. The UNIX password is created with the crypt routine. It consists of "seed" (first two characters of password) and the encrypted password. The seed is composed of letters, digits, and few other printable characters, and is a parameter (2nd) to the crypt UNIX routine together with the "open text password" (1st). The crypt routine returns seed and enctrypted password as a string. encrypted_password = crypt(open_password, seed); perl has a crypt function, so you could generate password by just typing this at UNIX prompt: perl print STDOUT crypt("my_open_password", "7x"), "\n"; ^D 7xUC7SQVQeS.U Where, my_open_password, is the password which you want to encrypt, 7x is a seed (or salt, as people call it), ^D stands for CTRL/D, i.e,. end of transmission ASCII character, i.e, UNIX end of input. The encrypted password will be 7xUC7SQVQeS.U in this case. While it is so easy to generate encrypted password, there is no known way to go from encrypted password to the unencrypted password beside doing brute force checks and comparison with a dictionary (or guessted password). Note that a person who knows encrypted password, knows also the seed. Warning: you should not use the same passwords for Web and for UNIX log in. UNIX will throw you out after few bad tries and will make you wait. The Web usually will not punish password cracking, and it is much easier to crack the Web password (essentially unlimitted number of tries within short period of time) than the UNIX password which punishes the wrong entry with a wait period. Now, assuming that you want to use a script to make an encrypted password, this will do it for you (save it, and give it x permissions, and put the right location of perl on the first line). It will also generate a random seed for you. ----------------- cut and save as make_passwd.pl ------------------ #!/usr/local/bin/perl # generate encrypted password using the argument given # Usage: make_passwd.pl password (- at -) chars = ('a'..'z', 'A'..'Z', '0'..'9', '.', '/'); $n = $#chars + 1; $n2 = $n*$n; $seed = (time - $pid + (-s '/var/log/messages') + 1346235) % $n2; $seed1 = int($seed / $n); $seed2 = int($seed % $n); $salt = $chars[$seed1] . $chars[$seed2]; if($#ARGV == 0) { $encpasswd = crypt($ARGV[0], $salt); } else { die "Usage: make_passwd.pl plain_text_pass\n"; } print STDOUT "Encrypted Password = |$encpasswd|\n"; ------------------ cut -------------- Example: make_passwd.pl 'My*Secret' Encrypted Password = |4v2FWV9S1AbyQ| Your open password was My*Secret (the example does not imply that this is the good password, it is actually one of the worst), and the encrypted password in this case was 4v2FWV9S1AbyQ (note, the 4v is the seed which program automatically created). Now, how to protect your directory under Apache? Assuming that the directories which you want to protect are allowed in the Apache httpd.conf file to have password protection (e.g., if your directories are under, say, /web/private as in example below: AllowOverride Limit AuthConfig Options AuthType Basic AuthName private-web Options ExecCGI you can protected them easily. In the directory, which you want to protect, you place the file: .htaccess This file allows you to override some options from your httpd.conf file. For example: --------------- cut ----------- AuthUserFile /etc/httpd/auth/htpasswd AuthGroupFile /etc/httpd/auth/htgroup AuthName "For close friends only" AuthType Basic require group myfriends ------------ cut --------- In the directory /etc/httpd/auth (or whatever you choose, but do not put it in your Web tree), you create files htpasswd and htgroup (or whatever names you want to give them). For example: --------- cut: htpasswd ------------ jim:.lh4hjkcz.lFxE joe:/wuDR9867DJNE pipi:d/87ghkRTmIQ -----------cut ------------------- -------- cut: htgroup ------------- myfriends:jim joe pipi --------- cut ----------- The stuff which follows colon in httpasswd is encrypted password created as described above. All files should be world readable. Have fun, and remember that if you want to really protect stuff which you serve over the Web, you need to use SSL protocol -- this simple password protection does not encrypt communications, i.e., the passwords and the content. But SSL and ssleay is another story, and cannot be described in a one-pager, it is slightly more complicated. Jan K. Labanowski | phone: 614-292-9279, FAX: 614-292-7168 Ohio Supercomputer Center | Internet: jkl-0at0-ccl.net 1224 Kinnear Rd, | http://www.ccl.net/chemistry.html Columbus, OH 43212-1163 | http://www.ccl.net/