.htpasswd - Printable Version +- Linux-Noob Forums (https://www.linux-noob.com/forums) +-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html) +--- Forum: LAMP (https://www.linux-noob.com/forums/forum-83.html) +--- Thread: .htpasswd (/thread-232.html) |
.htpasswd - anyweb - 2012-01-07 is it possible to add another user/password to my already configured .htpasswd file ? .htpasswd - Dungeon-Dave - 2012-01-08 Yup. Code: htpasswd .htpwd myUserName then it'll prompt for the password. Alternatively, use the -b option to specify both username and pass: Code: htpasswd -b .htpwd myUserName newPassword Note - this presumes that your password file is ".htpwd" - just pop the relevant name in there. Lastly, don't forget that Apache needs to be able to read this file to allow/deny users. I've had people set permissions to 600 and wonder why it doesn't work. Don't use 666 or 777 - 644 should be sufficient. For tighter security, set the group to the apache services account group (www-data or so) then set permissions to 640. Go for it! (also, don't forget "tail -f" on your apache logfiles to show login/out information and diagnose issues). nb: a new addition to the htpass file shouldn't require a restart of apache (nor a reboot) but you probably knew that anyway... .htpasswd - anyweb - 2012-01-08 thanks Dave, that worked great :) .htpasswd - Dungeon-Dave - 2012-01-08 Sound! nb: you probably know this, but htaccess authentication is not a fantastically secure method - even if you're using https, the username/pass combo is still sent as part of the URL (https://username:password@mysite.com/securearea) so those credentials could be sniffed out. .htpasswd - anyweb - 2012-01-10 i didn't know that, ok so what's a better way and is it hard to setup ? .htpasswd - Dungeon-Dave - 2012-01-10 Firstly, if you're passing authentication credentials, they should be sent as POST query variables over https. This forum does it during login - pops up a login form for a user to enter credentials. Successful login usually results in the client receiving a cookie containing some obfuscated information. The contents of these are read for each page request and compared against a lookup table that matches the cookie contents to a username, verifying the identity of the user. It's a standard authentication mechanism used by many sites. I've hacked up some module that compares the identity and rank of a forum member to see if they have access to further directories - reusing forum credentials. The best part about that was that the admins could create a specific rank or privilege and I'd just check against that to permit access. Note that all of this is for much tighter security. I run a site where entry is permitted against their static IP address or using a simple username/pass combo encoded in the page URL. It's not super-secret and users may give away their credentials, but it means I can track leaks back to specific individuals if it occurs. I suppose the question is: just how secure do you want to make it? |