Authentication: Introduction: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
(Moved to new category; Additional grammar and cleanup edits. Needs updating to later version structure.)
 
Line 2: Line 2:
'''Authentication Introduction'''
'''Authentication Introduction'''


I thought it worthwhile taking a detailed look at Apache’s basic authentication.  
For Website security, let's take a detailed look at Apache’s basic authentication.  
Uniform Server already has the basic authentication structure is in place if you run “Apanel” under configurations there are two links for “private server configuration” and “private secure server configuration” the links allow you to set a new user name and password for both server configurations.
The Uniform Server already has the basic authentication structure in place. If you run "Apanel" under configurations there are two links for "private server configuration" and "private secure server configuration". The links allow you to set a new user name and password for both server configurations.


Each root folder (ssl and www) contains a file named .htaccess”, you enable private server access by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. Concludes by showing how to secure these using SSL to encrypt names, passwords and content.
Each root folder (ssl and www) contains a file named ".htaccess". Private server access is enabled by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. It concludes by showing how to secure these using SSL to encrypt names, passwords and content.


'''''[[#top | Top]]'''''
== Authentication directives ==
== Authentication directives ==
This tutorial will cover the following authentication directives and provide practical examples of their use. You can run each example on any Uniform Server however this tutorial was written specifically for the Mona series.   
This series covers authentication directives and provides practical examples of their use. You can run each example on any of The Uniform Server systems, however this tutorial was written for the Mona series (and will be updated soon).   
 


'''''Directives'''''
'''''Directives'''''
Line 15: Line 15:
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''AuthName''' "restricted content"                  
|'''AuthName''' "restricted content"                  
|AuthName text displayed to a user. This is also referred to as the '''realm''' its important because the name references a collection of resources. A user after entering a valid name and password has access to any other resources with an '''identical realm''' name (no need to re-enter name and password). You can use this to create areas, which share the same username and password.
|AuthName text displayed to a user. This is also referred to as the '''realm'''. It's important because the name references a collection of resources. After entering a valid name and password, a user has access to any other resources with an '''identical realm''' name (no need to re-enter name and password). You can use this to create areas which share the same username and password.
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''AuthType''' Basic
|'''AuthType''' Basic
|AuthType informs Apache what protocol to use for authentication. Uniform Server uses '''Basic''' you can use the alternative Digest note I do not cover this.
|AuthType informs Apache what protocol to use for authentication. The Uniform Server uses '''Basic'''. You can use the alternative Digest. Note that this is not covered in this series.
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''AuthUserFile''' /htpasswd/www/.htpasswd
|'''AuthUserFile''' /htpasswd/www/.htpasswd
|[[#Password file |AuthUserFile]] informs Apache where to find the htpasswd file this contains name/password pairs.
|[[#Password file |AuthUserFile]] informs Apache where to find the .htpasswd file this contains name/password pairs.
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''AuthGroupFile''' /htpasswd/www/.htgroup
|'''AuthGroupFile''' /htpasswd/www/.htgroup
Line 30: Line 30:
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''Require''' user {sub-list}
|'''Require''' user {sub-list}
|'''Require''' parameter '''[[#Require user|user]]''' {sub-list} informs Apache to validate against only certain users listed in the password file. Can be used with Require group
|'''Require''' parameter '''[[#Require user|user]]''' {sub-list} informs Apache to validate against only certain users listed in the password file. This can be used with Require group
|-valign="top" style="background:#f5f5f5;"
|-valign="top" style="background:#f5f5f5;"
|'''Require''' group name
|'''Require''' group name
|If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names its desirable to put the sub-list into the [[Authentication: Groups|'''groups files''']]. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users using Require user.
|If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names, it's desirable to put the sub-list into the [[Authentication: Groups|'''groups files''']]. This allows you to use the '''require''' line to restrict users to one or more particular groups. You can still target individual users with Require user.
|}
|}
Although there are relatively few directives they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use however it suffers from being totally insecure names; passwords and content are sent in plain text over the Internet. That said once secured with SSL it becomes viable.
Although there are relatively few directives, they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use, however it suffers from being totally insecure. Names, passwords and content are sent in plain text over the Internet. That said, once secured with SSL, it becomes viable.
 
The remainder of this page looks at the current implementation on The Uniform Server.


Remainder of this page looks at the current implementation on Uniform Server
'''''[[#top | Top]]'''''


== Private Server ==
== Private Server ==
Private is referring to restricted access, to view any pages a user must enter a name and password, to implement this it must be enabled in file UniServer\udrive\www\'''.htaccess'''
Private refers to restricted access. To view any page a user must enter a name and password. This is implemented by enabling it in file www\'''.htaccess'''.


Locate these lines:
Locate these lines:
Line 57: Line 57:
Require valid-user
Require valid-user
</pre>  
</pre>  
Save the file, run servers and enter '''<nowiki>http://loalhost</nowiki>''' into a browser.
Save the file, run server and enter '''<nowiki>http://loalhost</nowiki>''' into a browser.
You are challenged to enter a name and password these are both '''root'''.
You should be challenged to enter a name and password.  The defaults for these are both '''root'''.


'''''[[#top | Top]]'''''


== Password file ==
== Password file ==
The password file ('''.htpasswd''') must be located outside of the server root folder (www) this prevents access from the Internet.
The password file ('''.htpasswd''') must be located outside of the server root folder (www). This prevents access from the Internet.


Uniform Server locates it one level above root. The directive  '''AuthUserFile''' informs Apache where to find the file, the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.   
The Uniform Server locates it one level above root. The directive  '''AuthUserFile''' informs Apache where to find the file; the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.   


The file may contain any number of name password pairs. If you wish to follow the examples edit this file  UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown:
The file may contain any number of name password pairs. If you wish to follow the examples, edit this file: UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown.
<pre>
<pre>
root:root
root:root
Line 79: Line 78:
'''''Note 1'':''' No carriage return at the end of the last line.
'''''Note 1'':''' No carriage return at the end of the last line.


'''''Note 2'':''' Names can have spaces however never use spaces in passwords.
'''''Note 2'':''' Names can have spaces, however never use spaces in passwords.
Save the file.


'''''Note 3'':''' Delete the first entry '''root:root''' (everyone knows this)
'''''Note 3'':''' Delete the first entry '''root:root''' (everyone knows this)
Save the file.


'''''Test'''''
'''''Test'''''
Line 88: Line 87:
Test each name/password pair (enter <nowiki>http://loalhost</nowiki> into browser)
Test each name/password pair (enter <nowiki>http://loalhost</nowiki> into browser)


'''''Note'':''' Before each test you must '''restart your browser''' (breaks link to server) otherwise you will not be re-challenged for a name and password.
'''''Note'':''' Before each test you must '''restart your browser''' (breaks the link to the server), otherwise you will not be re-challenged for a name and password.


'''''[[#top | Top]]'''''


== Require valid-user and Require user ==
== Require valid-user and Require user ==


==== Require valid-user ====
==== Require valid-user ====
The directive '''Require valid-user'''instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.
The directive "'''Require valid-user'''" instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.


You confirmed this in the above test.
You confirmed this in the above test.


==== Require user ====
==== Require user ====
Using the directive '''Require user'''we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical it introduces the concept for later use)  
Using the directive "'''Require user'''", we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical, but it introduces the concept for later use).


Edit UniServer\udrive\www\'''.htaccess''' change the authentication block to look like this:
Edit UniServer\udrive\www\'''.htaccess''' change the authentication block to look like this:
Line 113: Line 111:
Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.
Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.


'''''[[#top | Top]]'''''


== SSL Private secure server ==
== SSL Private secure server ==
Line 122: Line 119:
# To perform tests make sure you have first generated a [[4.0-Mona: Enable SSL#Creating a new server certificate and key|server certificate]]. Type the following into your browser '''<nowiki>https://localhost</nowiki> '''  
# To perform tests make sure you have first generated a [[4.0-Mona: Enable SSL#Creating a new server certificate and key|server certificate]]. Type the following into your browser '''<nowiki>https://localhost</nowiki> '''  


'''''Note'':''' There is no real reason to have separate password files, just makes it a little easier to distinguish between the two parts of the server secure and non-secure.
'''''Note'':''' There is no real reason to have separate password files; it just makes it a little easier to distinguish between the two parts of the server, secure and non-secure.


'''''[[#top | Top]]'''''


== Summary ==
== Summary ==
It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to however it’s really indented to introduce the concept of a '''password file''' and '''require''' a user from that file.
It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to, however it’s really indented only to introduce the concept of a '''password file''' and '''require''' a user from that file.
 
You are more likely want to restrict access to specific directories (folders) and or files covered on this [[Authentication: Directories| page]]


If you wish to follow the examples setup a folder structure and .htaccess files as describe on the [[Authentication: Preparation | next page]].
You are more likely to want to restrict access to specific directories (folders) and or files covered on this [[Authentication: Directories| page]]


'''''[[#top | Top]]'''''
If you wish to follow the examples, setup a directory structure and .htaccess files as describe on the [[Authentication: Preparation | next page]].


----
----
Line 141: Line 135:
|}
|}


[[Category: Uniform Server 4.0-Mona]]
[[Category: Apache Configuration]]
[[Category: UniCenter]]

Latest revision as of 01:35, 22 June 2013

Basic Authentication

Authentication Introduction

For Website security, let's take a detailed look at Apache’s basic authentication. The Uniform Server already has the basic authentication structure in place. If you run "Apanel" under configurations there are two links for "private server configuration" and "private secure server configuration". The links allow you to set a new user name and password for both server configurations.

Each root folder (ssl and www) contains a file named ".htaccess". Private server access is enabled by un-commenting four lines in these files. For convenience this tutorial starts with the private server configuration and shows how to modify this architecture to target specific folders and files. It concludes by showing how to secure these using SSL to encrypt names, passwords and content.

Authentication directives

This series covers authentication directives and provides practical examples of their use. You can run each example on any of The Uniform Server systems, however this tutorial was written for the Mona series (and will be updated soon).


Directives

AuthName "restricted content"                   AuthName text displayed to a user. This is also referred to as the realm. It's important because the name references a collection of resources. After entering a valid name and password, a user has access to any other resources with an identical realm name (no need to re-enter name and password). You can use this to create areas which share the same username and password.
AuthType Basic AuthType informs Apache what protocol to use for authentication. The Uniform Server uses Basic. You can use the alternative Digest. Note that this is not covered in this series.
AuthUserFile /htpasswd/www/.htpasswd AuthUserFile informs Apache where to find the .htpasswd file this contains name/password pairs.
AuthGroupFile /htpasswd/www/.htgroup AuthGroupFile, informs Apache where to find the .htgroup file this contains a list of groups and associated users.
Require valid-user Require parameter valid-user informs Apache to validate against any user listed in the password file.
Require user {sub-list} Require parameter user {sub-list} informs Apache to validate against only certain users listed in the password file. This can be used with Require group
Require group name If the user {sub-list} becomes large or you are using several .htaccess files with the same list of names, it's desirable to put the sub-list into the groups files. This allows you to use the require line to restrict users to one or more particular groups. You can still target individual users with Require user.

Although there are relatively few directives, they are very flexible allowing you to produce complex access control structures. Basic authentication is easy to use, however it suffers from being totally insecure. Names, passwords and content are sent in plain text over the Internet. That said, once secured with SSL, it becomes viable.

The remainder of this page looks at the current implementation on The Uniform Server.


Private Server

Private refers to restricted access. To view any page a user must enter a name and password. This is implemented by enabling it in file www\.htaccess.

Locate these lines:

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Uncomment (remove the hash #) as shown

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Save the file, run server and enter http://loalhost into a browser. You should be challenged to enter a name and password. The defaults for these are both root.


Password file

The password file (.htpasswd) must be located outside of the server root folder (www). This prevents access from the Internet.

The Uniform Server locates it one level above root. The directive AuthUserFile informs Apache where to find the file; the path /htpasswd/www/.htpasswd is a system (disk) path and not a URL path.

The file may contain any number of name password pairs. If you wish to follow the examples, edit this file: UniServer\udrive\htpasswd\www\.htpasswd and add the name password pairs as shown.

root:root
John:john123
Dave Smith:dave123
Mike:mike123
Jane:jane123
Dawn:dawn123
Ruth Smith:ruth123

Note 1: No carriage return at the end of the last line.

Note 2: Names can have spaces, however never use spaces in passwords.

Note 3: Delete the first entry root:root (everyone knows this) Save the file.

Test

Test each name/password pair (enter http://loalhost into browser)

Note: Before each test you must restart your browser (breaks the link to the server), otherwise you will not be re-challenged for a name and password.


Require valid-user and Require user

Require valid-user

The directive "Require valid-user" instructs Apache to allow anyone named in the password file to have access to the server on supplying their password.

You confirmed this in the above test.

Require user

Using the directive "Require user", we can individually name users in the password file. All others in that file will be denied access. (This example is not really practical, but it introduces the concept for later use).

Edit UniServer\udrive\www\.htaccess change the authentication block to look like this:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user John  "Dave Smith"

Note: Names with spaces must be enclosed in quotes as shown.

Test each name/password pair remember to re-start browser for each test. Only John and Dave Smith are given access while all others are denied.


SSL Private secure server

The above can be applied to a private secure server configuration.

  1. The root folder UniServer\udrive\ssl contains an identical .htaccess file this you can modify as above.
  2. It also has a corresponding password file UniServer\udrive\htpasswd\ssl\.htpasswd where you can add name/password pairs.
  3. To perform tests make sure you have first generated a server certificate. Type the following into your browser https://localhost

Note: There is no real reason to have separate password files; it just makes it a little easier to distinguish between the two parts of the server, secure and non-secure.


Summary

It’s very rare you would want to be so draconian and restrict access to the entire server. The above would achieve that if you really wanted to, however it’s really indented only to introduce the concept of a password file and require a user from that file.

You are more likely to want to restrict access to specific directories (folders) and or files covered on this page

If you wish to follow the examples, setup a directory structure and .htaccess files as describe on the next page.


Ric