Authentication: Introduction: Difference between revisions
m (→Summary) |
(Moved to new category; Additional grammar and cleanup edits. Needs updating to later version structure.) |
||
| Line 2: | Line 2: | ||
'''Authentication Introduction''' | '''Authentication Introduction''' | ||
For Website security, let's take a detailed look at Apache’s basic authentication. | |||
Uniform Server already has the basic authentication structure | The Uniform Server already has the basic authentication structure in place. If you run "Apanel" under configurations there are two links for "private server configuration" and "private secure server configuration". The links allow you to set a new user name and password for both server configurations. | ||
Each root folder (ssl and www) contains a file named | Each root folder (ssl and www) contains a file named ".htaccess". Private server access is enabled by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. It concludes by showing how to secure these using SSL to encrypt names, passwords and content. | ||
== Authentication directives == | == Authentication directives == | ||
This | This series covers authentication directives and provides practical examples of their use. You can run each example on any of The Uniform Server systems, however this tutorial was written for the Mona series (and will be updated soon). | ||
'''''Directives''''' | '''''Directives''''' | ||
| Line 15: | Line 15: | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''AuthName''' "restricted content" | |'''AuthName''' "restricted content" | ||
|AuthName text displayed to a user. This is also referred to as the '''realm''' | |AuthName text displayed to a user. This is also referred to as the '''realm'''. It's important because the name references a collection of resources. After entering a valid name and password, a user has access to any other resources with an '''identical realm''' name (no need to re-enter name and password). You can use this to create areas which share the same username and password. | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''AuthType''' Basic | |'''AuthType''' Basic | ||
|AuthType informs Apache what protocol to use for authentication. Uniform Server uses '''Basic''' | |AuthType informs Apache what protocol to use for authentication. The Uniform Server uses '''Basic'''. You can use the alternative Digest. Note that this is not covered in this series. | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''AuthUserFile''' /htpasswd/www/.htpasswd | |'''AuthUserFile''' /htpasswd/www/.htpasswd | ||
|[[#Password file |AuthUserFile]] informs Apache where to find the htpasswd file this contains name/password pairs. | |[[#Password file |AuthUserFile]] informs Apache where to find the .htpasswd file this contains name/password pairs. | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''AuthGroupFile''' /htpasswd/www/.htgroup | |'''AuthGroupFile''' /htpasswd/www/.htgroup | ||
| Line 30: | Line 30: | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''Require''' user {sub-list} | |'''Require''' user {sub-list} | ||
|'''Require''' parameter '''[[#Require user|user]]''' {sub-list} informs Apache to validate against only certain users listed in the password file. | |'''Require''' parameter '''[[#Require user|user]]''' {sub-list} informs Apache to validate against only certain users listed in the password file. This can be used with Require group | ||
|-valign="top" style="background:#f5f5f5;" | |-valign="top" style="background:#f5f5f5;" | ||
|'''Require''' group name | |'''Require''' group name | ||
|If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names | |If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names, it's desirable to put the sub-list into the [[Authentication: Groups|'''groups files''']]. This allows you to use the '''require''' line to restrict users to one or more particular groups. You can still target individual users with Require user. | ||
|} | |} | ||
Although there are relatively few directives they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use however it suffers from being totally insecure | Although there are relatively few directives, they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use, however it suffers from being totally insecure. Names, passwords and content are sent in plain text over the Internet. That said, once secured with SSL, it becomes viable. | ||
The remainder of this page looks at the current implementation on The Uniform Server. | |||
== Private Server == | == Private Server == | ||
Private | Private refers to restricted access. To view any page a user must enter a name and password. This is implemented by enabling it in file www\'''.htaccess'''. | ||
Locate these lines: | Locate these lines: | ||
| Line 57: | Line 57: | ||
Require valid-user | Require valid-user | ||
</pre> | </pre> | ||
Save the file, run | Save the file, run server and enter '''<nowiki>http://loalhost</nowiki>''' into a browser. | ||
You | You should be challenged to enter a name and password. The defaults for these are both '''root'''. | ||
== Password file == | == Password file == | ||
The password file ('''.htpasswd''') must be located outside of the server root folder (www) | The password file ('''.htpasswd''') must be located outside of the server root folder (www). This prevents access from the Internet. | ||
Uniform Server locates it one level above root. The directive '''AuthUserFile''' informs Apache where to find the file | The Uniform Server locates it one level above root. The directive '''AuthUserFile''' informs Apache where to find the file; the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path. | ||
The file may contain any number of name password pairs. If you wish to follow the examples edit this file UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown | The file may contain any number of name password pairs. If you wish to follow the examples, edit this file: UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown. | ||
<pre> | <pre> | ||
root:root | root:root | ||
| Line 79: | Line 78: | ||
'''''Note 1'':''' No carriage return at the end of the last line. | '''''Note 1'':''' No carriage return at the end of the last line. | ||
'''''Note 2'':''' Names can have spaces however never use spaces in passwords | '''''Note 2'':''' Names can have spaces, however never use spaces in passwords. | ||
'''''Note 3'':''' Delete the first entry '''root:root''' (everyone knows this) | '''''Note 3'':''' Delete the first entry '''root:root''' (everyone knows this) | ||
Save the file. | |||
'''''Test''''' | '''''Test''''' | ||
| Line 88: | Line 87: | ||
Test each name/password pair (enter <nowiki>http://loalhost</nowiki> into browser) | Test each name/password pair (enter <nowiki>http://loalhost</nowiki> into browser) | ||
'''''Note'':''' Before each test you must '''restart your browser''' (breaks link to server) otherwise you will not be re-challenged for a name and password. | '''''Note'':''' Before each test you must '''restart your browser''' (breaks the link to the server), otherwise you will not be re-challenged for a name and password. | ||
== Require valid-user and Require user == | == Require valid-user and Require user == | ||
==== Require valid-user ==== | ==== Require valid-user ==== | ||
The directive | The directive "'''Require valid-user'''" instructs Apache to allow anyone named in the password file to have access to the server on supplying their password. | ||
You confirmed this in the above test. | You confirmed this in the above test. | ||
==== Require user ==== | ==== Require user ==== | ||
Using the directive | Using the directive "'''Require user'''", we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical, but it introduces the concept for later use). | ||
Edit UniServer\udrive\www\'''.htaccess''' change the authentication block to look like this: | Edit UniServer\udrive\www\'''.htaccess''' change the authentication block to look like this: | ||
| Line 113: | Line 111: | ||
Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied. | Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied. | ||
== SSL Private secure server == | == SSL Private secure server == | ||
| Line 122: | Line 119: | ||
# To perform tests make sure you have first generated a [[4.0-Mona: Enable SSL#Creating a new server certificate and key|server certificate]]. Type the following into your browser '''<nowiki>https://localhost</nowiki> ''' | # To perform tests make sure you have first generated a [[4.0-Mona: Enable SSL#Creating a new server certificate and key|server certificate]]. Type the following into your browser '''<nowiki>https://localhost</nowiki> ''' | ||
'''''Note'':''' There is no real reason to have separate password files | '''''Note'':''' There is no real reason to have separate password files; it just makes it a little easier to distinguish between the two parts of the server, secure and non-secure. | ||
== Summary == | == Summary == | ||
It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to however it’s really indented to introduce the concept of a '''password file''' and '''require''' a user from that file. | It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to, however it’s really indented only to introduce the concept of a '''password file''' and '''require''' a user from that file. | ||
You are more likely to want to restrict access to specific directories (folders) and or files covered on this [[Authentication: Directories| page]] | |||
If you wish to follow the examples, setup a directory structure and .htaccess files as describe on the [[Authentication: Preparation | next page]]. | |||
---- | ---- | ||
| Line 141: | Line 135: | ||
|} | |} | ||
[[Category: | [[Category: Apache Configuration]] | ||
Latest revision as of 01:35, 22 June 2013
|
Authentication: Introduction | Preparation | Directories | Secure Directories | Groups | Single Files | Secure Single Files |
| Basic Authentication |
Authentication Introduction
For Website security, let's take a detailed look at Apache’s basic authentication. The Uniform Server already has the basic authentication structure in place. If you run "Apanel" under configurations there are two links for "private server configuration" and "private secure server configuration". The links allow you to set a new user name and password for both server configurations.
Each root folder (ssl and www) contains a file named ".htaccess". Private server access is enabled by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. It concludes by showing how to secure these using SSL to encrypt names, passwords and content.
Authentication directives
This series covers authentication directives and provides practical examples of their use. You can run each example on any of The Uniform Server systems, however this tutorial was written for the Mona series (and will be updated soon).
Directives
| AuthName "restricted content" | AuthName text displayed to a user. This is also referred to as the realm. It's important because the name references a collection of resources. After entering a valid name and password, a user has access to any other resources with an identical realm name (no need to re-enter name and password). You can use this to create areas which share the same username and password. |
| AuthType Basic | AuthType informs Apache what protocol to use for authentication. The Uniform Server uses Basic. You can use the alternative Digest. Note that this is not covered in this series. |
| AuthUserFile /htpasswd/www/.htpasswd | AuthUserFile informs Apache where to find the .htpasswd file this contains name/password pairs. |
| AuthGroupFile /htpasswd/www/.htgroup | AuthGroupFile, informs Apache where to find the .htgroup file this contains a list of groups and associated users. |
| Require valid-user | Require parameter valid-user informs Apache to validate against any user listed in the password file. |
| Require user {sub-list} | Require parameter user {sub-list} informs Apache to validate against only certain users listed in the password file. This can be used with Require group |
| Require group name | If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names, it's desirable to put the sub-list into the groups files. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users with Require user. |
Although there are relatively few directives, they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use, however it suffers from being totally insecure. Names, passwords and content are sent in plain text over the Internet. That said, once secured with SSL, it becomes viable.
The remainder of this page looks at the current implementation on The Uniform Server.
Private Server
Private refers to restricted access. To view any page a user must enter a name and password. This is implemented by enabling it in file www\.htaccess.
Locate these lines:
#AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile /htpasswd/www/.htpasswd #Require valid-user
Uncomment (remove the hash #) as shown
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user
Save the file, run server and enter http://loalhost into a browser. You should be challenged to enter a name and password. The defaults for these are both root.
Password file
The password file (.htpasswd) must be located outside of the server root folder (www). This prevents access from the Internet.
The Uniform Server locates it one level above root. The directive AuthUserFile informs Apache where to find the file; the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.
The file may contain any number of name password pairs. If you wish to follow the examples, edit this file: UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown.
root:root John:john123 Dave Smith:dave123 Mike:mike123 Jane:jane123 Dawn:dawn123 Ruth Smith:ruth123
Note 1: No carriage return at the end of the last line.
Note 2: Names can have spaces, however never use spaces in passwords.
Note 3: Delete the first entry root:root (everyone knows this) Save the file.
Test
Test each name/password pair (enter http://loalhost into browser)
Note: Before each test you must restart your browser (breaks the link to the server), otherwise you will not be re-challenged for a name and password.
Require valid-user and Require user
Require valid-user
The directive "Require valid-user" instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.
You confirmed this in the above test.
Require user
Using the directive "Require user", we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical, but it introduces the concept for later use).
Edit UniServer\udrive\www\.htaccess change the authentication block to look like this:
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require user John "Dave Smith"
Note: Names with spaces must be enclosed in quotes as shown.
Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.
SSL Private secure server
The above can be applied to a private secure server configuration.
- The root folder UniServer\udrive\ssl contains an identical .htaccess file this you can modify as above.
- It also has a corresponding password file UniServer\udrive\htpasswd\ssl\.htpasswd where you can add name/password pairs.
- To perform tests make sure you have first generated a server certificate. Type the following into your browser https://localhost
Note: There is no real reason to have separate password files; it just makes it a little easier to distinguish between the two parts of the server, secure and non-secure.
Summary
It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to, however it’s really indented only to introduce the concept of a password file and require a user from that file.
You are more likely to want to restrict access to specific directories (folders) and or files covered on this page
If you wish to follow the examples, setup a directory structure and .htaccess files as describe on the next page.
 |
Ric |