Drop Shadow

Protecting Directories

The method described here for password-protecting web files is useful mainly for protecting entire directories and non-php files. It has the advantage of protecting non-php files such as static html pages, images, and pdf files. It has the disadvantages that it does not use single sign-on, it does not enforce a secure connection when asking for the viewer’s password, and the password file it uses is not updated immediately when a user changes their password.

If possible, you should use Single Sign-on to protect web pages, or File Downloads to protect a directory of downloadable files.

This form of authentication is no longer allowed on home.sandiego.edu; special permission is required to use it on www.sandiego.edu.

By default, .htaccess files are disabled on the main web server. If you need to use .htaccess authentication, you’ll need to contact the webmaster and describe what .htaccess authentication provides that aren’t available in the Single Sign-on and File Downloads plugins.


Password-protecting directories

You can use a ‘.htaccess’ file to require passwords and usernames to enter certain directories. You can do this so that USD users have to type their standard USD e-mail username and password to get access to your page or pages. If you put a ‘.htaccess’ file into one of your web directories, the file will control web access to all pages within that directory.

AuthLDAPURL "ldap://ldap.sandiego.edu/ou=People,dc=sandiego,dc=edu" AuthName "USD Eyes Only!" AuthType Basic require valid-user

The following .htaccess file will let only Faculty and Staff at USD view your page:

AuthLDAPURL "ldap://ldap.sandiego.edu/ou=People,dc=sandiego,dc=edu" AuthName "USD Employees Only!" AuthType Basic AuthGroupFile /usr/local/scripts/etc/WebGroups require group Faculty Staff

Group names are case sensitive.

Specific users

You can specify users just as you can specify groups. The following .htaccess file will only let ‘jerry’ and ‘artagnan’ view the files in the directory:

AuthLDAPURL "ldap://ldap.sandiego.edu/ou=People,dc=sandiego,dc=edu" AuthName "USD Employees Only!" AuthType Basic require ldap-user jerry artagnan

Groups and users

You can combine both methods, and allow specific groups in as well as specific usernames. The following .htaccess file will let any faculty and students view the page, as well as the users ‘jerry’ and ‘artagnan’:

AuthLDAPURL "ldap://ldap.sandiego.edu/ou=People,dc=sandiego,dc=edu" AuthName "USD Employees Only!" AuthType Basic AuthGroupFile /usr/local/scripts/etc/WebGroups require group Faculty Students require ldap-user jerry artagnan

Your Own Groups

You can also make up your own groups and still let your readers use their USD passwords. You might want to do this if you are creating an area on your web site that is only for your class, for example. You can create a group that consists only of your students’ usernames.

You need to create a group file to do this. You can name it whatever you want. In your group file, use their USD username. For example, if you want to include fred@sandiego.edu, barney@sandiego.edu, and smithers@sandiego.edu in a group called ‘BBC’, the following line in your groups file will do it:

BBC: fred barney smithers

This way, you can make up your own groups without having to worry about creating and changing passwords. If you call your groups file “MyGroups” and put it in a directory in your account called “passinfo”, the ‘.htaccess’ file will look like:

AuthLDAPURL "ldap://ldap.sandiego.edu/ou=People,dc=sandiego,dc=edu" AuthName "BBC Students Only!" AuthType Basic AuthGroupFile /yourhome/passinfo/MyGroups require group BBC

You can put this file anywhere in your Unix account. I recommend not putting it inside your web directory.

Your Own Passwords

You can also create your own passwords. You’ll want to do this if your readers do not have standard USD usernames and passwords. This gets a little complicated. First, you need to create a password file. You do this with the ‘htpasswd’ command. The first time you do this, type:

htpasswd -c PasswordFilename FirstUser

For example, the following commands create a directory for your password info, and then a password for user ‘Tarzan’:

mkdir ~/passinfo chmod ugo+x ~/passinfo htpasswd -c ~/passinfo/passwords Tarzan chmod ugo+r ~/passinfo/passwords

Remember that this is Unix, and Unix is case sensitive. ‘Tarzan’ is a different username than ‘tarzan’.

Once the file is created, the only command you need is ‘htpasswd filename username’. The htpasswd program will ask you for this user’s password, encode it, and put it into the file you specified:

htpasswd ~/passinfo/passwords Jane

Suppose you’ve got a directory called ‘passinfo’ in your home directory, and you've created a file with a password for ‘Jane’ and ‘Tarzan’, called "passwords". You want to allow only Tarzan to get access to the files in this directory. Put the following in a file called ‘.htaccess’ in that directory, replacing ‘yourhome’ with the path to your home directory. (Type ‘pwd’ to find that out.) You can use ‘pico’ to create this file. Type pico .htaccess while you are ‘inside’ the folder you want to protect.

AuthUserFile /yourhome/passinfo/passwords AuthName "Jungle Financial Records" AuthType Basic require user Tarzan

Now, when anyone tries to access pages in that directory, they’ll be asked for a username and password, and they’ll be told that it’s for “Jungle Financial Records”. They’ll only be allowed in if they enter “Tarzan” for the username, and Tarzan’s password for the password.

You’ll notice that this ‘.htaccess’ file does not have an “AuthGroupFile” command. This means that only the user specified has web access to those pages. Most of the time, however, you’re going to want to let a group of people in. To do that, you need to create a ‘Group’ file, just as you did to make your own USD group(s). In the above example, I’d create a file called ‘groups’ in my ‘passinfo’ directory, and put the following line into it:

Jungle: Tarzan Jane Cheetah Tribes: Ngari Fred

This creates the ‘group’ called ‘Jungle’, with the members ‘Tarzan’, ‘Jane’, and ‘Cheetah’. It also creates a group called ‘Tribes’ with the members ‘Ngari’ and ‘Fred’. Each of those users must also appear in the specified password file. I’ll change my .htaccess file to the following:

AuthUserFile /yourhome/Passwords/Jungle AuthName "Jungle Financial Records" AuthType Basic AuthGroupFile /yourhome/Passwords/Groups require group Jungle

Remember to change ‘yourhome’ to the path to your home directory! Now, any of Tarzan, Jane, and Cheetah can get in. But Ngari and Fred cannot.

Passwords and usernames are case sensitive.

Security

Because your password file must be readable by the web server, if you place it inside your public_html directory it will be visible to anyone on the net. You will probably want to create a special folder outside of your public_html directory, and store your password and group files there. This directory must also be readable by everyone:

chmod ugo+r filename chmod ugo+x directoryname

Also, as this is a shared server, anyone who has access to the server can still read your password file. So you want to make sure your passwords are not easily guessable by a computer. Passwords that are made up of dates, names, or words are easily guessable. Random combinations of letters, numbers, and punctuation are not.

Secure Web Serving

Data sent over the net can easily be stolen. This includes the passwords that people are typing in to access your password-protected web pages. Those passwords are basically sent across the net in plain text.

All web pages on www.sandiego.edu can be served both securely and insecurely. Insecure serving is the default, since it is much faster. But if it is important that no one be able to steal those passwords, you can direct people to use the secure server. The URL for the secure server is exactly the same as the URL for the insecure server, but with ‘https’ at the front instead of ‘http’.

The single sign-on system does not require https, because it ensures that the password is sent over a secure connection regardless of whether the page is viewed as http or https. Insecure connections are often much faster than secure connections.

Comments

If you have comments or tips for readers of this page, you may post them here. Questions are more appropriately directed to the webmaster. Comment on this page