Linux-Noob Forums
.htpasswd - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: LAMP (https://www.linux-noob.com/forums/forum-83.html)
+--- Thread: .htpasswd (/thread-232.html)



.htpasswd - anyweb - 2012-01-07

is it possible to add another user/password to my already configured .htpasswd file ?



.htpasswd - Dungeon-Dave - 2012-01-08


Yup.

 



Code:
htpasswd .htpwd myUserName




then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass:

 



Code:
htpasswd -b .htpwd myUserName newPassword




 

Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there.

 

Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640.

 

Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues).

 

nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway...




.htpasswd - anyweb - 2012-01-08

thanks Dave, that worked great :)



.htpasswd - Dungeon-Dave - 2012-01-08


Sound!

 

nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL (https://username:password@mysite.com/securearea) so those credentials could be sniffed out.




.htpasswd - anyweb - 2012-01-10

i didn't know that, ok so what's a better way and is it hard to setup ?



.htpasswd - Dungeon-Dave - 2012-01-10


Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials.

 

Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites.

 

I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access.

 

Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs.

 

I suppose the question is: just how secure do you want to make it?