www-authentication

Forum Moderators: phranque

Message Too Old, No Replies

www-authentication

need some help here

PsychoTekk

9:28 am on Jul 6, 2002 (gmt 0)

okay, i want to secure a subfolder of my domain using
www-authentication.

.htaccess looks like this
(where /auth/ is the folder to be secured):

AuthType Basic
AuthName 'Restricted Area'
AuthUserFile '/auth/.htpasswd'
require valid-user

i read that .htpasswd has to be in the directory that shall be secured,
so i put it in the /auth/ folder.

now i have two problems:
1st: no matter where my .htpasswd file is, the entire domain
is secured. what can i do to just secure the auth folder?

2nd: the password is incorrect.
username is "Aladdin", password is "open sesame"
so base64 encoded "Aladdin:open sesame" would be
"QWxhZGRpbjpvcGVuIHNlc2FtZQ==".

i tried

Aladdin:QWxhZGRpbjpvcGVuIHNlc2FtZQ==

but it doen's work.

QWxhZGRpbjpvcGVuIHNlc2FtZQ==

doesn't work either.

what did i do wrong here?

Nick_W

9:37 am on Jul 6, 2002 (gmt 0)

Why not put /auth/ above the root http dir, then you've no need to worry about users finding it...

Nick

PsychoTekk

10:01 am on Jul 6, 2002 (gmt 0)

the webserver in question ain't mine

scotty

10:46 am on Jul 7, 2002 (gmt 0)

You need to put the .htaccess in the directory to be secured (or password protected). For example, putting .htaccess


AuthType Basic
AuthName RestrictedArea
AuthUserFile .htpasswd
Require valid-user

in the auth/ directory, together with the .htpasswd file.

As of the encoding of .htpasswd, it depends on the operating system and the web server you are using, but most Apache providers can take Unix cyrpt and md5 digest form, i.e. the base64 is *not* correct. For example, the same password with crypt will be...


Aladdin:azIy8ykyDKDrY

Note that Unix crypt only makes sense for password length less than 8 characters, and md5 digest password might not be supported on all systems.

PsychoTekk

4:19 pm on Jul 7, 2002 (gmt 0)

great thanks :)

<added>
hmmm, works okay now except that
it still won't accept the login :(

username: Psycho
password: Psycho

.htpasswd: Psycho:$1$sNRTsyEd$LaSCKYAccHbKJcTO4/vZ21

am i stupid or what?

scotty

9:24 pm on Jul 7, 2002 (gmt 0)

Sounds like your host does not do md5 digest for the .htpasswd (password starts with $1 is suspiciously an md5 digest). Try to use Unix crypt for your password. It can be easily done with Perl.


 $ perl -e "print crypt('secret password', 'seed');"

'seed' is a random two character string.

PsychoTekk

7:57 am on Jul 8, 2002 (gmt 0)

thanks scotty, you are right, auth_digest is not supported.
but why is this login (user Psycho/pw Psycho)
Psycho:PskPM/KQgKSrM
using basic auth not accepted?

i also tried to test authentication at home (Apache/2.0.39 (Win32)),
the necessary modules loaded, neither basic nor md5 works:
http*//localhost/auth/ returns a 403 in both cases without asking for a pw
(no authentication request in the http header), and
http*//localhost/auth/test.htm gives me test.htm, also without asking for a pw

scotty

4:06 am on Jul 10, 2002 (gmt 0)

Sounds like your Apache server is not set up correctly, because it should replies 401 to ask for authentication, instead of replying 403 saying it is forbidden. Usually 403 is caused by the wrong permission in your directory or file, i.e. the whole directory is not readable/executable by the web server. However, I doubt about that because you are running Apache on a Windoze box...

Sorry mate, can't help. But I think it does not even get into mod_auth yet because of the permission problem.

PsychoTekk

7:45 am on Jul 10, 2002 (gmt 0)

thanks anyways, at least now i can tell the difference
between md5 and basic passwords and i know that basic
ain't base64 encryption... i'll keep on trying to set
that stuff up :)