Authentication: Introduction

Basic Authentication

Authentication Introduction

For Website security, let's take a detailed look at Apache’s basic authentication. The Uniform Server already has the basic authentication structure in place. If you run "Apanel" under configurations there are two links for "private server configuration" and "private secure server configuration". The links allow you to set a new user name and password for both server configurations.

Each root folder (ssl and www) contains a file named ".htaccess". Private server access is enabled by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. It concludes by showing how to secure these using SSL to encrypt names, passwords and content.

Authentication directives

This series covers authentication directives and provides practical examples of their use. You can run each example on any of The Uniform Server systems, however this tutorial was written for the Mona series (and will be updated soon).


Directives

AuthName "restricted content"                   AuthName text displayed to a user. This is also referred to as the realm. It's important because the name references a collection of resources. After entering a valid name and password, a user has access to any other resources with an identical realm name (no need to re-enter name and password). You can use this to create areas which share the same username and password.
AuthType Basic AuthType informs Apache what protocol to use for authentication. The Uniform Server uses Basic. You can use the alternative Digest. Note that this is not covered in this series.
AuthUserFile /htpasswd/www/.htpasswd AuthUserFile informs Apache where to find the .htpasswd file this contains name/password pairs.
AuthGroupFile /htpasswd/www/.htgroup AuthGroupFile, informs Apache where to find the .htgroup file this contains a list of groups and associated users.
Require valid-user Require parameter valid-user informs Apache to validate against any user listed in the password file.
Require user {sub-list} Require parameter user {sub-list} informs Apache to validate against only certain users listed in the password file. This can be used with Require group
Require group name If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names, it's desirable to put the sub-list into the groups files. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users with Require user.

Although there are relatively few directives, they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use, however it suffers from being totally insecure. Names, passwords and content are sent in plain text over the Internet. That said, once secured with SSL, it becomes viable.

The remainder of this page looks at the current implementation on The Uniform Server.


Private Server

Private refers to restricted access. To view any page a user must enter a name and password. This is implemented by enabling it in file www\.htaccess.

Locate these lines:

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Uncomment (remove the hash #) as shown

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Save the file, run server and enter http://loalhost into a browser. You should be challenged to enter a name and password. The defaults for these are both root.


Password file

The password file (.htpasswd) must be located outside of the server root folder (www). This prevents access from the Internet.

The Uniform Server locates it one level above root. The directive AuthUserFile informs Apache where to find the file; the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.

The file may contain any number of name password pairs. If you wish to follow the examples, edit this file: UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown.

root:root
John:john123
Dave Smith:dave123
Mike:mike123
Jane:jane123
Dawn:dawn123
Ruth Smith:ruth123

Note 1: No carriage return at the end of the last line.

Note 2: Names can have spaces, however never use spaces in passwords.

Note 3: Delete the first entry root:root (everyone knows this) Save the file.

Test

Test each name/password pair (enter http://loalhost into browser)

Note: Before each test you must restart your browser (breaks the link to the server), otherwise you will not be re-challenged for a name and password.


Require valid-user and Require user

Require valid-user

The directive "Require valid-user" instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.

You confirmed this in the above test.

Require user

Using the directive "Require user", we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical, but it introduces the concept for later use).

Edit UniServer\udrive\www\.htaccess change the authentication block to look like this:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user John  "Dave Smith"

Note: Names with spaces must be enclosed in quotes as shown.

Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.


SSL Private secure server

The above can be applied to a private secure server configuration.

  1. The root folder UniServer\udrive\ssl contains an identical .htaccess file this you can modify as above.
  2. It also has a corresponding password file UniServer\udrive\htpasswd\ssl\.htpasswd where you can add name/password pairs.
  3. To perform tests make sure you have first generated a server certificate. Type the following into your browser https://localhost

Note: There is no real reason to have separate password files; it just makes it a little easier to distinguish between the two parts of the server, secure and non-secure.


Summary

It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to, however it’s really indented only to introduce the concept of a password file and require a user from that file.

You are more likely to want to restrict access to specific directories (folders) and or files covered on this page

If you wish to follow the examples, setup a directory structure and .htaccess files as describe on the next page.


  Ric