[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Apache User Authentication



Armin Schoech wrote:
Hi Eric,


I am trying to setup user authentication on my SUSE 9.0 box and I keep=20
running into 500 errors, or the username and password will not work in=20
the pop up window.  The errors I get in the logs are:
=20
[Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] (2)No such=20
file or directory: Could not open password file: /etc/apache/.htaccess
[Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] user admin not=

=20

found: /


--> Just a thought: have you check the ownership and access rights of
/etc/apache/.htaccess ?

On my SuSE 9.0 system, the process "httpd" runs as user "wwwrun". So
/etc/apache/.htaccess should be readable by user "wwwrun" and probably
not by anyone else (to protect from local users).

There is an acl in apache-config (Apache 1.x and 2.x) that disallows the reading of .ht* files.

500 Error is an internal server error and means something in your .htaccess file is not supported by the server.

Userauthentification via .htaccess goes this way:

You make a .htaccess file and a .htpasswd file for authentification.

.htaccess:

AuthType Basic
AuthName "Please authentificate yourself!"
AuthUserFile /path-to-authentificationdir/.htpasswd
require user USERNAME

.htpasswd is generated by typing "htpasswd -cm .htpasswd USERNAME PASSWORD".

Type "htpasswd --help" for help!

Afterwards do edit your files and change filerights like the follows:

#use the intended webuser here!
chown .ht* wwwrun:nogroup
chmod o+r .htaccess
chmod o+r .htpasswd

Now you should have password protected Webfolders.
If not you have to change apache config file which settings can be changed by .htaccess files (there should be an example in the config!).

Depending on which modules are loaded apache can set much more options in .htaccess file (even for php ...). Not all are supported by SuSE's shipped apache 1/2, because on module is missing (I forgot the name).

We got a webscript at our university for making .htaccess authentification. You better shange .passwd to .htpasswd. Here you find it (german version, but it is self explaining):

http://www.uni-duisburg.de/HRZ/services/alle/internet/www/htaccess/

Philippe

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here