Authentication: Introduction

Revision as of 15:57, 23 April 2009 by Ric (talk | contribs) (→‎Summary)
Basic Authentication

Authentication Introduction

I thought it worthwhile taking a detailed look at Apache’s basic authentication. Uniform Server already has the basic authentication structure is in place if you run “Apanel” under configurations there are two links for “private server configuration” and “private secure server configuration” the links allow you to set a new user name and password for both server configurations.

Each root folder (ssl and www) contains a file named “.htaccess”, you enable private server access by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. Concludes by showing how to secure these using SSL to encrypt names, passwords and content.

Top

Authentication directives

This tutorial will cover the following authentication directives and provide practical examples of their use. You can run each example on any Uniform Server however this tutorial was written specifically for the Mona series.

Directives

AuthName "restricted content"                   AuthName text displayed to a user. This is also referred to as the realm its important because the name references a collection of resources. A user after entering a valid name and password has access to any other resources with an identical realm name (no need to re-enter name and password). You can use this to create areas, which share the same username and password.
AuthType Basic AuthType informs Apache what protocol to use for authentication. Uniform Server uses Basic you can use the alternative Digest note I do not cover this.
AuthUserFile /htpasswd/www/.htpasswd AuthUserFile informs Apache where to find the htpasswd file this contains name/password pairs.
AuthGroupFile /htpasswd/www/.htgroup AuthGroupFile, informs Apache where to find the .htgroup file this contains a list of groups and associated users.
Require valid-user Require parameter valid-user informs Apache to validate against any user listed in the password file.
Require user {sub-list} Require parameter user {sub-list} informs Apache to validate against only certain users listed in the password file. Can be used with Require group
Require group name If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names its desirable to put the sub-list into the groups files. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users using Require user.

Although there are relatively few directives they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use however it suffers from being totally insecure names; passwords and content are sent in plain text over the Internet. That said once secured with SSL it becomes viable.

Remainder of this page looks at the current implementation on Uniform Server Top

Private Server

Private is referring to restricted access, to view any pages a user must enter a name and password, to implement this it must be enabled in file UniServer\udrive\www\.htaccess

Locate these lines:

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Uncomment (remove the hash #) as shown

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Save the file, run servers and enter http://loalhost into a browser. You are challenged to enter a name and password these are both root.

Top

Password file

The password file (.htpasswd) must be located outside of the server root folder (www) this prevents access from the Internet.

Uniform Server locates it one level above root. The directive AuthUserFile informs Apache where to find the file, the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.

The file may contain any number of name password pairs. If you wish to follow the examples edit this file UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown:

root:root
John:john123
Dave Smith:dave123
Mike:mike123
Jane:jane123
Dawn:dawn123
Ruth Smith:ruth123

Note 1: No carriage return at the end of the last line.

Note 2: Names can have spaces however never use spaces in passwords. Save the file.

Note 3: Delete the first entry root:root (everyone knows this)

Test

Test each name/password pair (enter http://loalhost into browser)

Note: Before each test you must restart your browser (breaks link to server) otherwise you will not be re-challenged for a name and password.

Top

Require valid-user and Require user

Require valid-user

The directive “Require valid-user” instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.

You confirmed this in the above test.

Require user

Using the directive “Require user” we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical it introduces the concept for later use)

Edit UniServer\udrive\www\.htaccess change the authentication block to look like this:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user John  "Dave Smith"

Note: Names with spaces must be enclosed in quotes as shown.

Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.

Top

SSL Private secure server

The above can be applied to a private secure server configuration.

  1. The root folder UniServer\udrive\ssl contains an identical .htaccess file this you can modify as above.
  2. It also has a corresponding password file UniServer\udrive\htpasswd\ssl\.htpasswd where you can add name/password pairs.
  3. To perform tests make sure you have first generated a server certificate. Type the following into your browser https://localhost

Note: There is no real reason to have separate password files, just makes it a little easier to distinguish between the two parts of the server secure and non-secure.

Top

Summary

It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to however it’s really indented to introduce the concept of a password file and require a user from that file.

You are more likely want to restrict access to specific directories (folders) and or files covered on this page

If you wish to follow the examples setup a folder structure and .htaccess files as describe on the next page.

Top


  Ric