Embed Size (px)
Citation preview
Authentication
Names and PasswordsNames and Passwords Also can use GroupsAlso can use Groups Webmaster can “require” authenticationWebmaster can “require” authentication Each username and password is valid for a Each username and password is valid for a
particular realmparticular realm Password is sent unencryptedPassword is sent unencrypted
Authentication
<Directory /var/lib/apache/htdocs><Directory /var/lib/apache/htdocs>
AuthType BasicAuthType Basic
AuthName AdminAuthName Admin
AuthUserFile /var/lib/apache/namesAuthUserFile /var/lib/apache/names
AuthGroupFile /var/lib/apache/groupsAuthGroupFile /var/lib/apache/groups
require valid-userrequire valid-user
</Directory></Directory>
Authentication Directives
AuthType AuthType typetype Basic or DigestBasic or Digest If AuthType is used then AuthName, If AuthType is used then AuthName,
AuthGroupFile, and AuthUserFile must AuthGroupFile, and AuthUserFile must be specifiedbe specified
AuthName AuthName auth-realmauth-realm AuthGroupFile AuthGroupFile filenamefilename
Authentication Directives (cont)
AuthUserFile AuthUserFile filenamefilename Contains usernames and encrypted passwordsContains usernames and encrypted passwords
Limit Limit method_1 method_2 …method_1 method_2 … Not normally usedNot normally used
Require Require user name(s) | group name(s) | valid-useruser name(s) | group name(s) | valid-user Key directive that causes password checkingKey directive that causes password checking
Authentication Directives (cont)
Satisfy Satisfy any | allany | all Sets access policy if Sets access policy if allow allow and and requirerequire
are usedare used Only useful if access to a particular area Only useful if access to a particular area
is being restrictd by both is being restrictd by both username/password and client host username/password and client host addressaddress
Passwords Under Unix
Use the htpasswd program to create the Use the htpasswd program to create the user/password fileuser/password file
htpasswd -?htpasswd -? htpasswd –c /var/lib/apache/names adminhtpasswd –c /var/lib/apache/names admin htpasswd /var/lib/apache/names teacherhtpasswd /var/lib/apache/names teacher DBM Files DBM Files
Order, Allow, Deny
You can also control access based on a You can also control access based on a specific IP address, hostnames, or groups of specific IP address, hostnames, or groups of addresses and hostnamesaddresses and hostnames
Allow from ….. And ….. Deny fromAllow from ….. And ….. Deny from Order is not set by the way you enter it in Order is not set by the way you enter it in
the configuration filethe configuration file Default is deny then allowDefault is deny then allow
Allow, Order, Deny
Allow fromAllow from Allow from Allow from host hosthost host Controls access to a directoryControls access to a directory Host Host can be All, domain name, IP can be All, domain name, IP
Address, or a netmaskAddress, or a netmask
Allow, Order, Deny
Allow from envAllow from env Uses a named variableUses a named variable See Page 115See Page 115
Deny fromDeny from Controls access by hostControls access by host
Deny from envDeny from env
Allow, Order, Deny
Order Order orderingordering Controls the order in which directives are Controls the order in which directives are
applied (no spaces allowed)applied (no spaces allowed) deny,allowdeny,allow
deny directives evaluated firstdeny directives evaluated first allow,denyallow,deny
allow directives evaluated firstallow directives evaluated first
Allow, Order, Deny
mutual-failuremutual-failure Hosts that appear on the Hosts that appear on the allowallow list and do list and do
not appear on the not appear on the denydeny list are allowed list are allowed
Anonymous Access
Example Example Anonymous_Authoritative offAnonymous_Authoritative off Anonymous guest anonymous air-headAnonymous guest anonymous air-head
Lets you login as guest, anonymous or air-Lets you login as guest, anonymous or air-headhead
Anonymous Access Directives
Anonymous Anonymous userid1 userid2 …userid1 userid2 … Anonymous_NoUserID Anonymous_NoUserID on | offon | off
Still must put something in the PW fieldStill must put something in the PW field Anonymous_LogEmail Anonymous_LogEmail on | offon | off Anonymous_Anonymous_VerifyEmail VerifyEmail on | offon | off
Userid must contain at least one @Userid must contain at least one @
Anonymous Access Directives
Anonymous_Authoritative Anonymous_Authoritative on | offon | off If user fails anonymous authorization If user fails anonymous authorization
they fail all authorizationthey fail all authorization Anonymous_MustGiveEmail Anonymous_MustGiveEmail on | offon | off
User must give an email ID as a User must give an email ID as a passwordpassword
.htaccess file
Directives go in separate file versus in the Directives go in separate file versus in the httpd.conf filehttpd.conf file
Great for controlling access to specific Great for controlling access to specific directories or even entire sitesdirectories or even entire sites
AccessFileName Directive must be in the AccessFileName Directive must be in the httpd.conf file to allow this to workhttpd.conf file to allow this to work
Overrides
AllowOverride AllowOverride override1 override2override1 override2 Tells apache which directives in Tells apache which directives in
an .htaccess file can override earlier an .htaccess file can override earlier directives.directives.
See page 129 for examplesSee page 129 for examples
