[thelist] Root and .htaccess
Keith
cache at dowebscentral.com
Mon Jul 21 21:53:26 CDT 2003
At 08:01 PM Monday 7/21/2003, you wrote:
>we have a .htaccess file in the main directory of the site that points
>to a users file containing all usernames and shadowed passwords. You add
>users to this list by logging on to root and executing the _htpasswd_
>command with the proper parameters.
Both A & B are BAD practice IMHO.
Never give root access to someone who is not a principal in the company or
the superuser employee. It's not just bad security, it's a really bad
business practice. Ask the owner, "When things go bump in the night, and
they do, do you want to suspect an employee or find the problem?"
You do not need root access to create a password. Linux and Perl use the
same MD5 crypt() function to encrypt passwords. Your .htaccess file does
not need to read the username:password from the usertable for Linux access.
In fact, that's why .htpasswd exists, for basic authentication you simply
put the .htpasswd file in the same directory as your .htaccess file. In
your .htaccess file tell it where to find the password file with:
AuthUserFile /absolute_path_to/protected_directory/.htpasswd
To keep the .htpasswd file private add
<files .ht*>
Order allow,deny
Deny from all
</files>
to your .htaccess file. That denies access to the file via the browser, and
makes it just as secure as the Linux password file (which can be read by
any user on the box).
Create an HTML form with two fields: name=user & name=password
Submit to the following Perl script with POST method (you don't want that
password value hanging around in a query string in the location field,
history, etc)
=================================================
#!/usr/bin/perl
$htpasswd_file = "protected_directory/.htpasswd";
read(STDIN, $input, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/,$input);
foreach $pair (@pairs){
$pair =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
($name, $value) = split(/=/,$pair,2);
$value =~ tr/+/ /;
$value =~ s/~!/ ~!/g;
if ($value =~ /[;><\*`\|]/){exit}
$$name=$value;
}
$salt = substr($user,0,2);
$PASSWORD=crypt($password,$salt);
open(HT,">>$.htpasswd_file");
print HT "$user:$PASSWORD\n";
close(HT);
print "Content-type: text/html\n\n";
print "USER $user was added";
======================================================
Unless you are going to have more than 1,000 users on this one .htpasswd
file, don't waste your time and your client's money databasing the user
names. I run up to 5,000 per .htpasswd before beginning to see any
degredation. But keep this in mind when deciding whether to database or
not, every request made to a Basic Authentication directory goes through
authentication. A page with 5 images inside that directory tree gets 6
authentications - put the images outside that tree unless they are what you
are protecting.
FWIW, the above layout of putting the .htaccess and .htpasswd file in the
same directory passes both VISA and HIPPA security requirements.
Keith
====================
cache at dowebscentral.com
More information about the thelist
mailing list