.htaccess and .htpasswd

[NikPreviousAcct]

Is anyone familiar with .htaccess and .htpassword enough to tell me whether I can store multiple user/pass in one .htpasswd file? I need to have an individual user/pass for each folder and have multiple folders (dozens, maybe in the hundreds).

What's the best way to have a single different user/pass for each of dozens and dozens of individual folders that will be available online? Security is an absolute must.

 

[Crusty]

htpasswd can have as many user/pass combos as you like.

man htpasswd for more info on it.

http://httpd.apache.org/docs/howto/auth.html#basic

 

[NikPreviousAcct]

Thanks MCrusty

 

[NikPreviousAcct]

Does a .htpasswd file depend on .htaccess at all?

 

[Crusty]

Once you have created the password file, you need to tell Apache about it, and tell Apache to use this file in order to require user credentials for admission. This configuration is done with the following directives:

These directives may be placed in a .htaccess file in the particular directory being protected, or may go in the main server configuration file, in a <Directory> section, or other scope container.

You can use either .htaccess or put it in your httpd.conf file

 

[NikPreviousAcct]

So I could conceivably have one link be password protected with many different users allowed and have individual folders under that one for each individual user, but that would require me having .htpasswd files in each of the individual directories, right?

 

[Crusty]

It's not recommended to have your password file in a browseable directory. Even though the passwords are still encrypted it is still a security risk.

The password is stored in the password file in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file. For example, if your server is configured to run as user nobody and group nogroup, then you should set permissions on the file so that only the webserver can read the file and only root can write to it:

chown root.nogroup /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords

On Windows, a similar precaution should be taken, changing the ownership of the password file to the web server user, so that other users cannot read the file.

As for having a lot people have access to the files

Most of the time, you will want more than one, or two, or even a dozen, people to have access to a resource. You want to be able to define a group of people that have access to that resource, and be able to manage that group of people, adding and removing members, without having to edit the server configuration file, and restart Apache, each time.

This is handled using authentication groups. An authentication group is, as you would expect, a group name associated with a list of members. This list is stored in a group file, which should be stored in the same location as the password file, so that you are able to keep track of these things.

The format of the group file is exceedingly simple. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces. For example:

authors: rich daniel allan

Once this file has been created, you can Require that someone be in a particular group in order to get the requested resource. This is done with the AuthGroupFile directive, as shown in the following example.

AuthType Basic
AuthName "Apache Admin Guide Authors"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group authors

The authentication process is now one step more involved. When a request is received, and the requested username and password are supplied, the group file is first checked to see if the supplied username is even in the required group. If it is, then the password file will be checked to see if the username is in there, and if the supplied password matches the password stored in that file. If any of these steps fail, access will be forbidden.

I would use a group file, and then if you only want a specific user to have access to a directory put a Require user jdoe in the .htaccess file in their directories.

 

[NikPreviousAcct]

Good grief. This is going to be more trouble than it's worth. :frown:

 

[Crusty]

Well if you are going to be doing this for a lot of users, I would stay away from basic or digest authentication and use mod_auth_db(m) for authentication. Using text files will be slow for a large number of users.

http://httpd.apache.org/docs/howto/auth.html#database

 

[NikPreviousAcct]

Is there any GUI for content management that you would suggest that will be separate from the basic site?

Do you know of any content manager that is extremely configurable that would handle this sort of thing that you would suggest?

 

[Crusty]

The only content manager i've ever used was phpNuke, so I can't really comment on those. I only used it for a few days then went on and wrote a custom one in asp. I'm sure others have more of an opinion then I do on those.

 

[Nothinman]

Good grief. This is going to be more trouble than it's worth.

If security was easy everyone would do it without thinking twice about it.