# httpd-users mailing list archives

##### Site index · List index
Message view
Top
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at the end of the password
Date Thu, 11 Sep 2003 01:39:31 GMT

Plain text please!  Now I have no arrows in my response... *grumble*  Adding
by hand.  (sorry if you get this twice, forgot to send to list before I
think).

> ----- Original Message -----
> From: David
> To: warp-9.9@usa.net
> Sent: Tuesday, September 09, 2003 9:23 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password
>
>
> Hi Leif,
>
> I made some changes to my conf file as suggested but I get the following
> error. I suspect it has something to do with my directory name having
spaces in between.
>
> However, it could also be that I did not understand your suggestions on
how to edit the conf file properly.
>
> The following is an extract(exact text as in  "cut and paste" from the
conf file) of entries in my conf file.
>
>
> <Directory "C:/Program Files/Apache Group/Apache2/htdocs/OGGradPics">
>     Options None
>     AllowOverride AuthConfig
> </Directory>

This look OK.

> C:\Program Files\Apache Group\Apache2\htdocs\OGGradPics:

This doesn't go into the config, I was just referring to the contents of the
.htaccess file.  So create a file C:\Program Files\Apache
Group\Apache2\htdocs\OGGradPics\.htaccess with the following contents.

> AuthUserFile "C:\.htpasswd"
> AuthName "protected server"
> AuthType Basic
> Require valid-user

The above (minus my >s) goes into the aforementioned .htaccess file.  Got
the hang of it now?

Leif

> After I saved this file and I tried to run it. I get the following errors
from the test configuration tool.
>
>
> Syntax error on line 324 of C:/Program Files/Apache
Group/Apache2/conf/httpd.conf:
> Invalid command 'C:\Program Files\Apache Group\Apache2\htdocs\OGGradPics',
> perhaps mis-spelled or defined by a module not included in the server
configuration
>
>
> I hope you can shed some light on how can I correct the error.
>
> Many thanks!
>
> Regards
> David
-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 4:04 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

> ----- Original Message -----
> From: David
> To: users@httpd.apache.org
> Sent: Tuesday, September 09, 2003 2:55 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password
>
>
>
> Hi !!
>
> Many thanks for your prompt reply.
>
> > "Safety is a relative thing... but in this case, outside htdocs could
mean
> > something like making a new folder, "\Apache Group\Apache2\private", and
> > restricting access to that folder and each file therein (i.e. read/write
> > access only by the user that the web server runs as)."
>
> Does this mean that: When I restrict access to that folder only the
physical
> user on my computer which my webserver is running on will eb able to
>  access these files, in my case, the password file.
>
> I am under the impression that any document is OUTSIDE the root document
> folder( in my case is htdocs folder) will not be accessible by ANY
visitors of
> my website. So, putting the password OUTSIDE the htdocs folder is safe.
>
> I apologise for the confusion.

Well, safety being relative to the safety of Apache, and of all the windows
DLLs and APIs and stuff that Apache relies upon to operate, but which is not
part of the Apache Group.  I remember a friend last year who made use of a
vulnerability in Apache or other DLLs.  It was a "Directory Traversal
Exploit" or something like that.  Using escaped sequences (%25%NN%NN%NN,
etc.), he was able to step outside the "htdocs" (or whatever folder was
specified as the DocumentRoot), and even look at files on other hard drives
and network mapped drives).  So I say it's "safe" above htdocs as long as
there's no exploit being used.  ;-)

> My next enquiry.
> > "I'm not sure if there's a way to allow only specific files.  There was
a
> > similar discussion about this last week.  For you, basically, put all
the
> > restricted files into the same folder, and put an .htaccess there.  Like
> > "\Apache Group\Apache2\htdocs\protected\" which has your .htaccess."
>
> I am not too familiar with the .htaccess issue. Is it a file ?
> or a directive? Many thanks for your time and attention.

"Damn it Jim I'm a doctor not a brick layer!"  Sorry, couldn't help myself.

The directives can exist in one of two contexts: within a <Directory> block,
or if you specify AllowOveride AuthConfig, then they exist in .htaccess
files.  The difference: If it's in the <Directory> block within httpd.conf
then any changes (i.e. .htpasswd file location, realm name specified by
AuthName) require a server restart to pick up the changes.  If it's in an
.htaccess file, it's read on the fly, so can be modified and changes picked
up without a server restart.

Like this:

<Directory "C:\path\to\htdocs\protected">
Options None
AuthUserFile "C:\path\to\private\.htpasswd"
AuthName "protected area"
AuthType Basic
Require valid-user
</Directory>

Or this:

<Directory "C:\path\to\htdocs\protected">
Options None
AllowOverride AuthConfig
</Directory>

C:\path\to\htdocs\protected\.htaccess:

AuthUserFile "C:\path\to\private\.htpasswd"
AuthName "protected server"
AuthType Basic
Require valid-user

> Regards
> David

Leif

-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 2:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

----- Original Message -----
From: "David" <amdawong@starhub.net.sg>
To: <users@httpd.apache.org>
Sent: Tuesday, September 09, 2003 2:23 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

> Dear Leif,
>
> Many thanks for your mail. I followed your instructions and the
> authentication works like wonder! Now I have a basic authentication
> service for my webserver!
>
> However, I have a few queries pertaining to the security of my password
> file and its integrity.
>
> 1. You mentioned that my password file should be " outside your web or
> DocumentRoot folders". My webfolder is the standard default folder that
> comes along with apache webserver (i.e. in the \Apache
> Group\Apache2\htdocs).
> I placed my password file OUTSIDE that folder. Is it safe enough ?

Safety is a relative thing... but in this case, outside htdocs could mean
something like making a new folder, "\Apache Group\Apache2\private", and
restricting access to that folder and each file therein (i.e. read/write
access only by the user that the web server runs as).

> 2. I am now able to put an authentication system on my entire webserver.
>
> I do not need to protect my entire website with password. I only need to
> restrict access to a particular few pages in my website with password
> authentication. How can I do it ?

I'm not sure if there's a way to allow only specific files.  There was a
similar discussion about this last week.  For you, basically, put all the
restricted files into the same folder, and put an .htaccess there.  Like
"\Apache Group\Apache2\htdocs\protected\" which has your .htaccess.

Also note, with the basic authentication mechanism, the username and
password are sent in clear-text over the internet, so if you're using this
for anything other than on your LAN, you'll likely want to look into
something more secure, like setting up Apache with SSL.  Not sure how to do
this on windows, because the standard Apache binary .msi have no SSL builtin
(probably due to export restrictions), so you'd have to find a copy that
someone builds (and be sure that it's safe to use), or compile Apache from
source (trivial in Linux/FreeBSD standard installs, non-trivial in Windows
standard installs).  This was also in the archives, someone maybe posted a
URL to some precompiled win32 binaries with SSL.

Leif

> Many thanks once again.
>
> Warmest Regards
> David
>
> -----Original Message-----
> From: Leif W [mailto:warp-9.9@usa.net]
> Sent: Thursday, September 11, 2003 1:34 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at the end of the password
>
> Hello,
>
> Check out mod_auth docs.
> http://httpd.apache.org/docs-2.0/mod/mod_auth.html
> and the core docs for AuthType and Require directives.
>
> Use the htpasswd program to generate usernames and password in an
> .htpasswd
> file.  Type htpasswd with no args to see usage.  Make sure your PATH has
> the
> "C:\Program Files\Apache Group\Apache2\bin" folder.
>
> Create a new .htpasswd file:
>
> htpasswd -c \path\to\.htpasswd user1
> password prompts: user1
>
> Add a new user to existing file:
>
> htpasswd \path\to\.htpasswd user2
> password prompts: user2
>
> .htpasswd file looks like this:
> user1:$apr1$4r0.....$UhfqMbRX/Hm/zIapnQnes. > user2:$apr1$ar0.....$KVQb4b../XWSGjV2nPSOJ/
>
> Put it in a safe place outside your web or DocumentRoot folders.
>
> Choose if you're going to put your Auth stuff in a Directory block, or
> use
> AllowOveride AuthConfig, and put in an .htaccess into the folder to
> protect.
>
> Directory or .htaccess Directives used (very simple):
>
> AuthUserFile "\path\to\.htpasswd"
> AuthName "protected server"
> AuthType Basic
> Require valid-user
>
>
>
>
> ----- Original Message -----
> From: "David" <amdawong@starhub.net.sg>
> To: <users@httpd.apache.org>
> Sent: Tuesday, September 09, 2003 1:01 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at
> the end of the password
>
>
> Hello Brian!!
>
> I would like to implement a basic authentication system usingmy apache.
> You mentioned that you managed to get the security to
>
> "work via .htaccess, as well as just using <Directory> access via the
> httpd.conf file".
>
> Can elaborate a little more?? I would like to do the same. I am using
> Windows XP.
>
> Regards,
> David
>
> -----Original Message-----
> From: Brian Gulizia [mailto:brian.gulizia@complexlit.com]
> Sent: Thursday, September 11, 2003 12:07 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] htpasswd with Apache 2.0 - extra characters at
> the end of the password
>
> Hello,
> I have a server that is running Redhat 9.0, and the Apache web server
> that came with it. I am currently working on the security for a website
> using basic authentication. I have been able to successfully get the
> security to work via .htaccess, as well as just using <Directory> access
> via the httpd.conf file.
> However in testing I've found that, while you will only gain access to
> the protected directory by entering the password, you can also put a
> bunch of extra characters after the password and it will still allow
> access.
> I've searched the web, as well as the documentation, and couldn't find
> anything mentioning this caveat. Is this normal, or is there something
> that perhaps I've missed in my setup that could be causing this?
> Thanks,
> Brian Gulizia
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

----- Original Message -----
From: David
To: warp-9.9@usa.net
Sent: Tuesday, September 09, 2003 9:23 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

Hi Leif,

I made some changes to my conf file as suggested but I get the following
error. I suspect it has something to do with my directory name having spaces
in between.

However, it could also be that I did not understand your suggestions on how
to edit the conf file properly.

The following is an extract(exact text as in  "cut and paste" from the conf
file) of entries in my conf file.

<Directory "C:/Program Files/Apache Group/Apache2/htdocs/OGGradPics">
Options None
AllowOverride AuthConfig
</Directory>

C:\Program Files\Apache Group\Apache2\htdocs\OGGradPics:

AuthUserFile "C:\.htpasswd"
AuthName "protected server"
AuthType Basic
Require valid-user

After I saved this file and I tried to run it. I get the following errors
from the test configuration tool.

Syntax error on line 324 of C:/Program Files/Apache
Group/Apache2/conf/httpd.conf:
Invalid command 'C:\Program Files\Apache Group\Apache2\htdocs\OGGradPics',
perhaps mis-spelled or defined by a module not included in the server
configuration

I hope you can shed some light on how can I correct the error.

Many thanks!

Regards
David
-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 4:04 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

> ----- Original Message -----
> From: David
> To: users@httpd.apache.org
> Sent: Tuesday, September 09, 2003 2:55 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password
>
>
>
> Hi !!
>
> Many thanks for your prompt reply.
>
> > "Safety is a relative thing... but in this case, outside htdocs could
mean
> > something like making a new folder, "\Apache Group\Apache2\private", and
> > restricting access to that folder and each file therein (i.e. read/write
> > access only by the user that the web server runs as)."
>
> Does this mean that: When I restrict access to that folder only the
physical
> user on my computer which my webserver is running on will eb able to
>  access these files, in my case, the password file.
>
> I am under the impression that any document is OUTSIDE the root document
> folder( in my case is htdocs folder) will not be accessible by ANY
visitors of
> my website. So, putting the password OUTSIDE the htdocs folder is safe.
>
> I apologise for the confusion.

Well, safety being relative to the safety of Apache, and of all the windows
DLLs and APIs and stuff that Apache relies upon to operate, but which is not
part of the Apache Group.  I remember a friend last year who made use of a
vulnerability in Apache or other DLLs.  It was a "Directory Traversal
Exploit" or something like that.  Using escaped sequences (%25%NN%NN%NN,
etc.), he was able to step outside the "htdocs" (or whatever folder was
specified as the DocumentRoot), and even look at files on other hard drives
and network mapped drives).  So I say it's "safe" above htdocs as long as
there's no exploit being used.  ;-)

> My next enquiry.
> > "I'm not sure if there's a way to allow only specific files.  There was
a
> > similar discussion about this last week.  For you, basically, put all
the
> > restricted files into the same folder, and put an .htaccess there.  Like
> > "\Apache Group\Apache2\htdocs\protected\" which has your .htaccess."
>
> I am not too familiar with the .htaccess issue. Is it a file ?
> or a directive? Many thanks for your time and attention.

"Damn it Jim I'm a doctor not a brick layer!"  Sorry, couldn't help myself.

The directives can exist in one of two contexts: within a <Directory> block,
or if you specify AllowOveride AuthConfig, then they exist in .htaccess
files.  The difference: If it's in the <Directory> block within httpd.conf
then any changes (i.e. .htpasswd file location, realm name specified by
AuthName) require a server restart to pick up the changes.  If it's in an
.htaccess file, it's read on the fly, so can be modified and changes picked
up without a server restart.

Like this:

<Directory "C:\path\to\htdocs\protected">
Options None
AuthUserFile "C:\path\to\private\.htpasswd"
AuthName "protected area"
AuthType Basic
Require valid-user
</Directory>

Or this:

<Directory "C:\path\to\htdocs\protected">
Options None
AllowOverride AuthConfig
</Directory>

C:\path\to\htdocs\protected\.htaccess:

AuthUserFile "C:\path\to\private\.htpasswd"
AuthName "protected server"
AuthType Basic
Require valid-user

> Regards
> David

Leif

-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 2:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

----- Original Message -----
From: "David" <amdawong@starhub.net.sg>
To: <users@httpd.apache.org>
Sent: Tuesday, September 09, 2003 2:23 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at
the end of the password

> Dear Leif,
>
> Many thanks for your mail. I followed your instructions and the
> authentication works like wonder! Now I have a basic authentication
> service for my webserver!
>
> However, I have a few queries pertaining to the security of my password
> file and its integrity.
>
> 1. You mentioned that my password file should be " outside your web or
> DocumentRoot folders". My webfolder is the standard default folder that
> comes along with apache webserver (i.e. in the \Apache
> Group\Apache2\htdocs).
> I placed my password file OUTSIDE that folder. Is it safe enough ?

Safety is a relative thing... but in this case, outside htdocs could mean
something like making a new folder, "\Apache Group\Apache2\private", and
restricting access to that folder and each file therein (i.e. read/write
access only by the user that the web server runs as).

> 2. I am now able to put an authentication system on my entire webserver.
>
> I do not need to protect my entire website with password. I only need to
> restrict access to a particular few pages in my website with password
> authentication. How can I do it ?

I'm not sure if there's a way to allow only specific files.  There was a
similar discussion about this last week.  For you, basically, put all the
restricted files into the same folder, and put an .htaccess there.  Like
"\Apache Group\Apache2\htdocs\protected\" which has your .htaccess.

Also note, with the basic authentication mechanism, the username and
password are sent in clear-text over the internet, so if you're using this
for anything other than on your LAN, you'll likely want to look into
something more secure, like setting up Apache with SSL.  Not sure how to do
this on windows, because the standard Apache binary .msi have no SSL builtin
(probably due to export restrictions), so you'd have to find a copy that
someone builds (and be sure that it's safe to use), or compile Apache from
source (trivial in Linux/FreeBSD standard installs, non-trivial in Windows
standard installs).  This was also in the archives, someone maybe posted a
URL to some precompiled win32 binaries with SSL.

Leif

> Many thanks once again.
>
> Warmest Regards
> David
>
> -----Original Message-----
> From: Leif W [mailto:warp-9.9@usa.net]
> Sent: Thursday, September 11, 2003 1:34 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at the end of the password
>
> Hello,
>
> Check out mod_auth docs.
> http://httpd.apache.org/docs-2.0/mod/mod_auth.html
> and the core docs for AuthType and Require directives.
>
> Use the htpasswd program to generate usernames and password in an
> .htpasswd
> file.  Type htpasswd with no args to see usage.  Make sure your PATH has
> the
> "C:\Program Files\Apache Group\Apache2\bin" folder.
>
> Create a new .htpasswd file:
>
> htpasswd -c \path\to\.htpasswd user1
> password prompts: user1
>
> Add a new user to existing file:
>
> htpasswd \path\to\.htpasswd user2
> password prompts: user2
>
> .htpasswd file looks like this:
> user1:$apr1$4r0.....$UhfqMbRX/Hm/zIapnQnes. > user2:$apr1$ar0.....$KVQb4b../XWSGjV2nPSOJ/
>
> Put it in a safe place outside your web or DocumentRoot folders.
>
> Choose if you're going to put your Auth stuff in a Directory block, or
> use
> AllowOveride AuthConfig, and put in an .htaccess into the folder to
> protect.
>
> Directory or .htaccess Directives used (very simple):
>
> AuthUserFile "\path\to\.htpasswd"
> AuthName "protected server"
> AuthType Basic
> Require valid-user
>
>
>
>
> ----- Original Message -----
> From: "David" <amdawong@starhub.net.sg>
> To: <users@httpd.apache.org>
> Sent: Tuesday, September 09, 2003 1:01 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at
> the end of the password
>
>
> Hello Brian!!
>
> I would like to implement a basic authentication system usingmy apache.
> You mentioned that you managed to get the security to
>
> "work via .htaccess, as well as just using <Directory> access via the
> httpd.conf file".
>
> Can elaborate a little more?? I would like to do the same. I am using
> Windows XP.
>
> Regards,
> David
>
> -----Original Message-----
> From: Brian Gulizia [mailto:brian.gulizia@complexlit.com]
> Sent: Thursday, September 11, 2003 12:07 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] htpasswd with Apache 2.0 - extra characters at
> the end of the password
>
> Hello,
> I have a server that is running Redhat 9.0, and the Apache web server
> that came with it. I am currently working on the security for a website
> using basic authentication. I have been able to successfully get the
> security to work via .htaccess, as well as just using <Directory> access
> via the httpd.conf file.
> However in testing I've found that, while you will only gain access to
> the protected directory by entering the password, you can also put a
> bunch of extra characters after the password and it will still allow
> access.
> I've searched the web, as well as the documentation, and couldn't find
> anything mentioning this caveat. Is this normal, or is there something
> that perhaps I've missed in my setup that could be causing this?
> Thanks,
> Brian Gulizia
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
"   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message