httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at the end of the password
Date Wed, 10 Sep 2003 20:03:55 GMT
> ----- Original Message ----- 
> From: David
> To: users@httpd.apache.org
> Sent: Tuesday, September 09, 2003 2:55 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password
>
>
>
> Hi !!
>
> Many thanks for your prompt reply.
>
> > "Safety is a relative thing... but in this case, outside htdocs could
mean
> > something like making a new folder, "\Apache Group\Apache2\private", and
> > restricting access to that folder and each file therein (i.e. read/write
> > access only by the user that the web server runs as)."
>
> Does this mean that: When I restrict access to that folder only the
physical
> user on my computer which my webserver is running on will eb able to
>  access these files, in my case, the password file.
>
> I am under the impression that any document is OUTSIDE the root document
> folder( in my case is htdocs folder) will not be accessible by ANY
visitors of
> my website. So, putting the password OUTSIDE the htdocs folder is safe.
>
> I apologise for the confusion.

Well, safety being relative to the safety of Apache, and of all the windows
DLLs and APIs and stuff that Apache relies upon to operate, but which is not
part of the Apache Group.  I remember a friend last year who made use of a
vulnerability in Apache or other DLLs.  It was a "Directory Traversal
Exploit" or something like that.  Using escaped sequences (%25%NN%NN%NN,
etc.), he was able to step outside the "htdocs" (or whatever folder was
specified as the DocumentRoot), and even look at files on other hard drives
and network mapped drives).  So I say it's "safe" above htdocs as long as
there's no exploit being used.  ;-)

> My next enquiry.
> > "I'm not sure if there's a way to allow only specific files.  There was
a
> > similar discussion about this last week.  For you, basically, put all
the
> > restricted files into the same folder, and put an .htaccess there.  Like
> > "\Apache Group\Apache2\htdocs\protected\" which has your .htaccess."
>
> I am not too familiar with the .htaccess issue. Is it a file ?
> or a directive? Many thanks for your time and attention.

"Damn it Jim I'm a doctor not a brick layer!"  Sorry, couldn't help myself.

The directives can exist in one of two contexts: within a <Directory> block,
or if you specify AllowOveride AuthConfig, then they exist in .htaccess
files.  The difference: If it's in the <Directory> block within httpd.conf
then any changes (i.e. .htpasswd file location, realm name specified by
AuthName) require a server restart to pick up the changes.  If it's in an
.htaccess file, it's read on the fly, so can be modified and changes picked
up without a server restart.

Like this:

<Directory "C:\path\to\htdocs\protected">
    Options None
    AuthUserFile "C:\path\to\private\.htpasswd"
    AuthName "protected area"
    AuthType Basic
    Require valid-user
</Directory>

Or this:

<Directory "C:\path\to\htdocs\protected">
    Options None
    AllowOverride AuthConfig
</Directory>

C:\path\to\htdocs\protected\.htaccess:

AuthUserFile "C:\path\to\private\.htpasswd"
AuthName "protected server"
AuthType Basic
Require valid-user

> Regards
> David

Leif

-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 2:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

----- Original Message ----- 
From: "David" <amdawong@starhub.net.sg>
To: <users@httpd.apache.org>
Sent: Tuesday, September 09, 2003 2:23 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password


> Dear Leif,
>
> Many thanks for your mail. I followed your instructions and the
> authentication works like wonder! Now I have a basic authentication
> service for my webserver!
>
> However, I have a few queries pertaining to the security of my password
> file and its integrity.
>
> 1. You mentioned that my password file should be " outside your web or
> DocumentRoot folders". My webfolder is the standard default folder that
> comes along with apache webserver (i.e. in the \Apache
> Group\Apache2\htdocs).
> I placed my password file OUTSIDE that folder. Is it safe enough ?

Safety is a relative thing... but in this case, outside htdocs could mean
something like making a new folder, "\Apache Group\Apache2\private", and
restricting access to that folder and each file therein (i.e. read/write
access only by the user that the web server runs as).

> 2. I am now able to put an authentication system on my entire webserver.
>
> I do not need to protect my entire website with password. I only need to
> restrict access to a particular few pages in my website with password
> authentication. How can I do it ?

I'm not sure if there's a way to allow only specific files.  There was a
similar discussion about this last week.  For you, basically, put all the
restricted files into the same folder, and put an .htaccess there.  Like
"\Apache Group\Apache2\htdocs\protected\" which has your .htaccess.

Also note, with the basic authentication mechanism, the username and
password are sent in clear-text over the internet, so if you're using this
for anything other than on your LAN, you'll likely want to look into
something more secure, like setting up Apache with SSL.  Not sure how to do
this on windows, because the standard Apache binary .msi have no SSL builtin
(probably due to export restrictions), so you'd have to find a copy that
someone builds (and be sure that it's safe to use), or compile Apache from
source (trivial in Linux/FreeBSD standard installs, non-trivial in Windows
standard installs).  This was also in the archives, someone maybe posted a
URL to some precompiled win32 binaries with SSL.

Leif

> Many thanks once again.
>
> Warmest Regards
> David
>
> -----Original Message-----
> From: Leif W [mailto:warp-9.9@usa.net]
> Sent: Thursday, September 11, 2003 1:34 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at the end of the password
>
> Hello,
>
> Check out mod_auth docs.
> http://httpd.apache.org/docs-2.0/mod/mod_auth.html
> and the core docs for AuthType and Require directives.
>
> Use the htpasswd program to generate usernames and password in an
> .htpasswd
> file.  Type htpasswd with no args to see usage.  Make sure your PATH has
> the
> "C:\Program Files\Apache Group\Apache2\bin" folder.
>
> Create a new .htpasswd file:
>
> htpasswd -c \path\to\.htpasswd user1
> password prompts: user1
>
> Add a new user to existing file:
>
> htpasswd \path\to\.htpasswd user2
> password prompts: user2
>
> .htpasswd file looks like this:
> user1:$apr1$4r0.....$UhfqMbRX/Hm/zIapnQnes.
> user2:$apr1$ar0.....$KVQb4b../XWSGjV2nPSOJ/
>
> Put it in a safe place outside your web or DocumentRoot folders.
>
> Choose if you're going to put your Auth stuff in a Directory block, or
> use
> AllowOveride AuthConfig, and put in an .htaccess into the folder to
> protect.
>
> Directory or .htaccess Directives used (very simple):
>
> AuthUserFile "\path\to\.htpasswd"
> AuthName "protected server"
> AuthType Basic
> Require valid-user
>
>
>
>
> ----- Original Message ----- 
> From: "David" <amdawong@starhub.net.sg>
> To: <users@httpd.apache.org>
> Sent: Tuesday, September 09, 2003 1:01 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at
> the end of the password
>
>
> Hello Brian!!
>
> I would like to implement a basic authentication system usingmy apache.
> You mentioned that you managed to get the security to
>
> "work via .htaccess, as well as just using <Directory> access via the
> httpd.conf file".
>
> Can elaborate a little more?? I would like to do the same. I am using
> Windows XP.
>
> Regards,
> David
>
> -----Original Message-----
> From: Brian Gulizia [mailto:brian.gulizia@complexlit.com]
> Sent: Thursday, September 11, 2003 12:07 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] htpasswd with Apache 2.0 - extra characters at
> the end of the password
>
> Hello,
> I have a server that is running Redhat 9.0, and the Apache web server
> that came with it. I am currently working on the security for a website
> using basic authentication. I have been able to successfully get the
> security to work via .htaccess, as well as just using <Directory> access
> via the httpd.conf file.
> However in testing I've found that, while you will only gain access to
> the protected directory by entering the password, you can also put a
> bunch of extra characters after the password and it will still allow
> access.
> I've searched the web, as well as the documentation, and couldn't find
> anything mentioning this caveat. Is this normal, or is there something
> that perhaps I've missed in my setup that could be causing this?
> Thanks,
> Brian Gulizia
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message