Web Password and Group Files for Apatche Web Server ------------------------------------------------------------------------------- For the basic steps needed to add username/passwords to a directory See info/www/passwd_protect_101.txt The following goes into the finer details... ------------------------------------------------------------------------------- WARNING: Web Passwords are NOT secure over HTTP Note that your web username and password will be sent in every HTTP request you make to the protected area. This password while not in plain clear text is only binary to text encoded! If anyone can grab the first packet of your HTTP request (most request are only one packet) they have your password! Also note that you are still sharing that password with the website you are sending to so it should be a different password for each web site you use. Sending web passwords over a HTTPS protocol (HTTP over SSL) is encrypted along with the rest of your web request. As such network snooper will not be able to get your password for a Web server using SSL encryption. The server configuration should designed to ensure HTTPS is in use when passwords are required. It should either deny or redirect client browsers when that is not the case. But this is actually hard to do than it seems. And so far imposible to do from ".htaccess" without using hacks, or hardcoding a redirection URL into the configuration. Ideally we should have a directive much like "SSLRequireSSL" but which forces a basic HTTP to HTTPS redirection BEFORE authentication (or anything else) happens. But currently this has not been provided. See info/www/passwd_protect_101.txt for more techniques ------------------------------------------------------------------------------- Using a simple text password file See "passwd_protect_101.txt" as a start point... =======8<-------- # # Deny directory from access other than by HTTPS # SSLRequireSSL # # Define the authentication and access requirements # AuthName "Restricted Directory" AuthType Basic AuthUserFile /path/to/.htpasswd AuthGroupFile /path/to/.htpasswd require valid-user =======8<-------- The format of .htpasswd is as per UNIX password files user:{password_hash}:{group},{group},{group} SECURITY: make sure that the AuthDBMUserFile (what ever you call it) is stored either outside the document tree of the web-server; or a name starting with ".ht" which apatche web servers will never serve to clients. Otherwise, clients may be able to download the AuthDBMUserFile to crack it. The require command above could also specify a specific set of users instead of any "valid-user" as above. require user {user} or require user {user} {user} {user} ... or require group {group} {group} {group} ... For more information on using DBM password files in Apatche Web servers look at the following artical from apatche week... http://www.apacheweek.com/features/dbmauth WARNING: If the AuthDBMUserFile is NOT readable by the web server, it does not know what restrictions you may have. If that happens the server will disallow ALL accees to the directory!!!!! ------------------------------------------------------------------------------- Using a Web Passwd Database. In the www sub-directory you wish to protect, create a ".htaccess" file with something like these lines... =======8<-------- # # Require SSL connection for password protection. # SSLRequireSSL # # Limit access to this directory # AuthType Basic AuthName "Name of Area they need a password for" AuthDBMUserFile /full/path/to/DBMfile #AuthDBMType SDBM # use SDBM rather than DBM (optional) require valid-user =======8<-------- Note a full path to the {DBMfile} you created (without any .pag or .dir suffixes) must be given above. Typically the password database file is named ".htpasswd" which generates the files ".htpasswd.dir" and ".htpasswd.pag". I have a perl script "dbm_manage" that can handle DBM files and specifically Apache DBM password files. ------------------------------------------------------------------------------- Setting up a Web Password Database (dbmmanage) The "dbmmanage" was command originally provided by apache. Newer Apatche installation provides a "htpasswd" command to be used instead of "dbmmanage". I myself have a "dbm_manage" script that is simular to both and does more. ----- Use the perl script /opt/apache/bin/dbmmanage to create web password database. For Example dbmmanage {DBMfile} adduser {person} {passwd} [{group}[,{group}]] Note: the user and password is what will be typed in to browser and can be whatever you like. The name of the DBMfile password file is the file name base to use. It will create two files with ".dat" and ".pag" suffixes. This should be OUTSIDE all web directories if possible, or start with a ".ht" prefix, which apache browsers will never serve. The DBMfile name can be anything you like or even anywhere, however it is recommended that it be OUTSIDE the www sub-directory tree, like your primary home directory. A DBM group file can also be used to allow people to be placed in multiple web groups but I have not done this and dbmmanage does not generate DBMgroup files. Other dbmmanage functions dbmmanage {DBMfile} add {person} {encripted-passwd} [{group}] dbmmanage {DBMfile} delete {person} dbmmanage {DBMfile} view The encrypted-passwd is in the normal UNIX passwd encryption format. Any good UNIX programming book can explain how these are generated using C-library functions (or perl the function links). ------------------------------------------------------------------------------- Setting up a Web Password Database (dbm_manage) "dbm_manage" is an enhanced version of the old "dbmmanage" program allowing more control of DBM password files. It allows easy dumping and restoring of text versions of the file into the dbm file, and easier viewing deleteing and editing all with appropriate write locks for a multitasking environment. If you just type the command you will get a summery of options dbm_manage To first create the password file use (NOTE: {DBMfile} is given WITHOUT any suffixes, like .dir or .pag), and should match the full file pathname what you place in the ".htaccess" file. dbm_manage {DBMfile} create The DBM file argument for other methods is optional, and if not given assumes it should use the single DBM database (".dat", ".pag") is in the current directory. It will produce an error is two databases is found. To this to add a users and their passwords with dbm_manage [{DBMfile}] passwd {user} At that point w3passwd will ask you to type in the passwd twice just as the normal UNIX password program does. Other command options commonly used... dbm_manage [{DBMfile}] delete {user} dbm_manage [{DBMfile}] edit [{user}] dbm_manage [{DBMfile}] view ------------------------------------------------------------------------------- Grouping User Access You can add users to various `groups'. This is usefull to allow you to restrict access to a particular area of the web server to just a few users from the current Web Password File being used. Groups may be specified in a separate DBM "groups" file, but is more commonly done in the same DBM password file used to provide the password. This is done by providing a new colon separated field in the DBM password file immediately following the users encrypted password. This field contains a comma separated list of all the groups a user belongs to. EG: DBMkey (IE the user login name) -> {encrypted_password}:{group},{group},{group}: Any other fields after the comma separated groups list is ignored by the web server can can be used for extra user information by other programs. IE it could be used for things like: last access, last password change, other access rights, user preferences, etc etc etc. This is left up to the various CGI programs to implement. To sepecify the file the groups a user belongs to you use... =======8<-------- AuthDBMGroupFile /full/path/to/DBMfile =======8<-------- As mentioned this is commonly uses the exact same entry as that for AuthDBMUserFile and the password file. If you do decide to use a separate DBM file for the Web Groups the DBM format is exactly the same as that for the AuthDBMUserFile but the "password" field is ignored. After adding the above to ".htaccess" file you can specify which groups are allow access in that same ".htaccess" file or in ".htaccess" files in lower sub-directories with this require command... require group {group} or require group {group},{group},{group} "dbm_manage" also has commands to allow you to set the group users belong to which is understood by the apatche server, when enabled with the AuthDBMGroupFile ".htaccess" file. See the apache server documentation on the web. dbm_manage [{DBMfile}] group {user} {group} or for multiple groups dbm_manage [{DBMfile}] group {user} {group},{group},... ------------------------------------------------------------------------------- Web Passwords and CGI scripts If you run a CGI script in an password secured area, the script has access to an environment variable "REMOTE_USER" which is the username the user has authenticated to. The CGI script could then use this information to output information specific for each user. For more information see... http://www.apache.org/docs/misc/FAQ.html#remote-user-var There is however no simple way for a CGI script to access the groups a user belongs to, or to retrive or update any extra fields in the password file. I fact their is no simple way to figure out which password file is being used. Knowing how to access the file directly from CGI scripts can be very useful. I have used that file to store seconadary permissions, and other information such as users Full name for a friendlier interface. ------------------------------------------------------------------------------- WARNING: File Permissions The web server (apatche "httpd") generally runs as the user "nobody" for security reasons. As such ALL files which it much have access to, must also be readable by the user nobody. These file thus requires to be "world readable" and can be made readable with the command chmod a+r files... NOTE: for access the directory path down to the file must also be accessable! chmod a+x directories... and optionally readable for directory listings chmod a+r directories... This includes :- html documents, images, passwd database, and .htaccess file. WARNING: if ".htpasswd" is NOT readable by the web server, it does not know what restrictions you may have in the ".htpasswd file. Due to this it will disallow ALL accees to the directory!!!!! You home directory also needs to be accessable as well as the WWW directory "www" or "public_html" depending on your server. For example (adjust to suit) :- chmod 644 ~/public_html/.htaccess ~/www_passwd.dir ~/www_passwd.pag chmod 755 ~/public_html chmod 711 ~ If you want to restrict access to the data your cgi scripts is handling then either a SuEXEC program needs to be installed into the apache webserver OR your CGI program will need to be SUID to some user or group which does provide access. WARNING: SUID can make security of a cgi program even worse, and break-ins will be to the user owning the script and not "nobody". Use only if needed and then know what you are doing and the risks involved. DO NOT RELY ON FILE PERMISSIONS... File permissions could change accidentally during maintance, or transfer of the web site files, and should not be relied on for security. -------------------------------------------------------------------------------