by February 5, 2002 0 comments



HTTP authentication works the following way. If set up for a website, whenever one accesses the site he will be prompted for a username and a password. When supplied, Apache will look into a password file or database file. If the username and the corresponding password are correct, one is allowed to browse the site or else shown an HTTP 401 error–invalid authorization error. There is more than one way to setup HTTP authentication. We use one, which works, out of box–without recompiling–on Apache Web server on PCQLinux 7.1. We also make use of database file in place of normal file for storing the username-passwords. This aids in quick retrieval of the usernames and passwords — useful in case of thousands of username/password pair. Now let’s see how to setup HTTP authentication for a
‘UserDir’.

Last month, in Delegating Administration in Apache, we mentioned the AuthConfig directive. We proceed further with the UserDir example for user ‘shekhar’. In httpd.conf, add the ‘AuthConfig’ value to the ‘AllowOverride’ directive for the public_html web directory. The modified lines will look as follows:

<Directory /home/*/public_html>
AllowOverride Options Limit AuthConfig
</Directory>

Suppose we want to allow one who supplies ‘shekhar’ as the username and ‘pcq’ as the password to browse Shekhar’s website. Add the following lines to the .htaccess file that we created last month after the Options directive and before the Order directive.

AuthType Basic
AuthName “PCQ”
AuthDBUserFile /home/shekhar/auth
AuthDBGroupFile /home/shekhar/auth
require user shekhar 

Here with the value ‘Basic’ for the AuthType directive, we are declaring the use of Basic HTTP Authentication. The other authentication type is Digest which uses one way hashing algorithm while transmitting the username and the password from the browser to the Web server. The Digest authentication is not supported by all browsers. With ‘AuthName’ we define the name of the authentication area or realm. Here the name of the realm is ‘PCQ’. Suppose you have another UserDir or web directory with the same authentication requirements, that is, same username/ password pair then you can give the same AuthName value to that directory. Here’s the advantage. The browser generally caches the username-password pair supplied for authentication. So it will not prompt again for the username-password while subsequently accessing Web sites with the same realm names. Instead it will automatically send it.

The next two lines specify the location of the files containing the username, password and group information. The final line declares the username required to access the Web directory and has the syntax:

require user <username>

Now, we must create the file named ‘auth’ in the /home/ shekhar directory. Issue the following command:

dbmmanage /home/shekhar/auth adduser shekhar


You will be prompted for a new password. Enter ‘pcq’ as per our case. The dbmmanage utility creates the database file named ‘auth’ in /home/shekhar directory. Here the user ‘shekhar’ does not belong to any group. See below for more explanation on groups. The syntax is

dbmmanage <file-name> adduser <username>

Now when you try to access shekhar’s site using the ‘http://<ip-address-of-linux-machine> /~shekhar/’, a dialog box will pop up prompting for a username and a password. Suppose you want to allow a group of users to access Shekhar’s website. Let the name of the group be ‘pcquest’. Now add ‘require group pcquest’ in the .htaccess file after ‘require user shekhar’. Now lets add two users namely ‘sachin’ and ‘sanjay’ to the ‘auth’ file in /home/shekhar and declare their group to be ‘pcquest’. Let their corresponding passwords be ‘pcq1’ and ‘pcq2’. The commands are:

dbmmanage /home/shekhar/auth adduser sachin pcq1 pcquest
dbmmanage /home/shekhar/auth adduser sanjay pcq2 pcquest

The syntax of the above commands is:

dbmmanage <file-name> adduser <username> <password> <group-name>

You will be again prompted for the password, when your press enter. To delete a user from the database use dbmmanage as:

dbmmanage <file-name> delete <username>

You can view all the users in the database file using the command ‘dbmmanage <file-name> view’

The output shown is in the form: 

<username>:<encrypted-password>: <group-name>

Instead of specifying particular users or groups, by using ‘require valid-user’, we can declare that all users in the database file can access the site.

Authentication for document root
You can also set up HTTP authentication for normal Web directories like the document root i.e the /var/www/html directory. Open httpd.conf in a text editor and after the line

<Directory “/var/www/html”>

and add the following lines :

AuthType Basic
AuthName “PCQ Labs”
AuthDBUserFile auth
AuthDBGroupFile auth
require valid-user

Note that in this case we have specified only the file name ‘auth’ without an absolute path. In such a case Apache will look for the ‘auth’ file in the directory specified by the ‘ServerRoot’ directive in httpd.conf. In case of Apache on PCQLinux it is preset to ‘/etc/httpd’. Follow the same procedure as above to create the ‘auth’ file in /etc/httpd directory. Subsequently when you browse http://<ip-address-of-linux-machine>
you will be shown the username-password prompt.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<