Password Protection Tutorial with .htaccess
Introduction
Many Linux web servers running Apache allow users to use the .htaccess file to override the default server configuration. For example a user on a web server could use .htaccess files to set specific attributes (such as password protection) on specific directories without requiring access to the server's main configuration file. You should note that depending on your host and how your administrator has things setup, you may or may not be able to override particular configurations with the .htaccess file. In most cases hosts will allow you to make configuration changes with .htaccess files, but you will need to check with your host if you are unsure. If you have found out that your host does not allow you to make overrides with .htaccess files you might check into hosting over at UNFLUX.net, as they do have support for this.
There are probably many ways in which a user can create a password protected directory by using .htaccess files. The usual way is by simply creating two text files, one for the directory to be protected and the other to store your usernames and passwords. In most cases you will need ssh or telnet to be able to create the encrypted passwords, but if you do not have access to that resource we have an alternate way for you to generate the encrypted passwords. We will go into details about this later.
Depending on what server you are using and how it is setup, you can also check exactly who accessed your website, how many times they accessed the site, the actual time they accessed your site, and with what usernames. I find this extremely useful because it allows you to track people who are sharing usernames with others by seeing what IP addresses are logging in with a particular username. A while back I found from my logs that a visitor was trying to break into the website using some kind of program for a brute force attack. The program was testing thousands of username and password combinations over a matter of a few hours. In the log file you could see every username they attempted to use. This particular visitor was testing common username/password combinations about three times a second. This can be important information if you are trying to keep unauthorized users out of your protected areas. Simply banning the IP Address is one simple solution, but if they are trying to break in from numerous locations it could be more difficult to stop.
All of this information regarding who has been accessing your protected areas on your server should be recorded in your raw access logs and raw error logs. If you do not know if you have access to your raw access logs you should send an email to your webhost support, or check with the FAQ area on at your host's website.
Demonstration
Click on the picture of the password box below. It should send you to a directory which is in a password protected area. It should ask you for a username and password. Use unmelted for the username and templates for the password to gain access to the authenticated area.
Following the tutorial below should allow you to achieve what we have shown in this demonstration.
.htaccess File
The example that you see below is an example of the contents of an .htaccess file. If you are running on a Windows platform your computer will most likely not allow you to name your file as .htaccess, so instead temporarily name it as htaccess.txt on your hard drive. Once you have created the file you will then upload it to the directory for which you want to protect. Only that directory and the directories that fall below it will be protected. Once uploaded on your server you will need to rename that file to .htaccess as it should not be htaccess.txt as that will not work.
AuthUserFile /home/website/members/passes
AuthGroupFile /dev/null
AuthName (Info-Area)
AuthType Basic
<Limit GET POST>
order allow,deny
allow from all
require valid-user
</Limit>
It is important to realize that by creating the .htaccess file it will protect your directory, but you still need to create usernames and passwords in another file. The first line in the above example which says AuthuserFile is where you specify the path to your username and password list. The path is not a URL. The path is the location of the text file on your server which in this example is /home/website/members/.htpassword
The location of the usernames and passwords is in a text file called .htpassword. You will learn how to create the password in the next section.
The next line AuthGroupFile should be left how it reads, and the following line which contains AuthName is where you specify the realm. This can be whatever you want; It is simply the name that will be displayed on the box that pops up when someone tries to access your directory that is protected. In this case we called it (Info-Area), but it could be simply anything that describes your area. The last line AuthType should be left alone. In summary all you need to do is copy exactly what is in the example above, paste it in a text file, and change the lines that contain AuthUserFile and AuthName. The most difficult part will probably be the first line and trying to figure out what path you should use. You should consult with your webhost if you are having problems figuring out your correct path.
Password File
The password file is where you will have all of your usernames and passwords. You can name this file whatever you wish, just make sure you put it in the same location that you specified above in your .htaccess file above. You will notice that this file is made up of two basic parts. The username first, then a colon, then the encrypted password last. Each line would be another username and password that would have access to the area. The basic style that you will use is: Username:Encrypted-password. Here is an example:
username:Gp9Fv9gvsJeTeA
jenifer:YKcd8d44vlqw54
scott:PUJ73ef.jrfi4HG
Typing in the username is the easy part. Simply type it as you wish. It can be anything you want, but remember care should go into creating username and passwords so that they are not easy to guess. After the username type a ":" and then the encrypted password will follow that.
This is where it might become tricky for some. You need to be able to create this encrypted password. If you have access to SSH or Telnet it should be fairly straight forward and we will discuss this next. Your other option would be to use a CGI program to encrypt the password for you. We are also including this later on in the tutorial for those who do not have access to SSH or telnet.
Whatever method you decide to use I recommend placing your password file in a directory below your public directory to ensure that nobody will have access to it. Also by making sure you name your password file .htpassword that should also prevent users from obtaining this file because by default the Apache server denies public access to anything that starts with .ht. Even if they do somehow get access to your username and passwords, the passwords are still encrypted so they will still have more work cut out for them if they intend to actually get in your protected area. However, making sure they never get access to this file will only increase your chances of making sure nobody ever breaks in.
We have done all this talk about encrypted passwords, but some of you might not know what this is. An encrypted password is basically a password that is scrambled up using some kind of algorithm so that its different than what the actual password really is. So in the above example the encrypted password is: Gp9Fv9gvsJeTeA but in reality that encrypted password might have been derived from a real password such as opensesame or airplane (I do not recommend you use simple passwords like that, just trying to make a point). Your server will only understand the encrypted password form so you must somehow convert your real passwords into the encrypted form. Your webhost may have an area for you to do this, but if not we have a program below which can assist you.
Telnet / SSH
The first way and probably the easiest way to create your encrypted passwords is by using SSH / telnet. Using SSH or Telnet is a way that you can actually be on your server as if you were actually physically there. Windows comes with a basic telnet program which you could use. However, in order to use SSH or telnet you must have access to do so. Many webhosts will not allow you to use either of these methods because of possible security risks, but it is definitely a handy tool if you have access to this. This section assumes you understand how to login to SSH or telnet and to get to the directory in which your password file is located. If you need more basic information you will need to find a tutorial on SSH or telnet. For now on I am only going to mention SSH but you can use SSH or telnet to do this. SSH is more secure to use and I would recommend using that first.
Now lets move on to creating your usernames and passwords using SSH. Once you have logged on to your server you should see something like:
$
That basically means that it is just waiting for you to enter a command. What you should type on this line is:
htpasswd -c /home/website/members/.htpassword username
The first part which says htpasswd is a program that we are running. The htpasswd program is used to create and update the flat files used to store usernames and passwords for basic authentication of HTTP users. The htpasswd program encrypts passwords using either a version of MD5 modified for Apache, or the system crypt() routine. Files managed by htpasswd may contain both types of passwords, meaning that some records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt(). These details probably are not that important to you, so if you do not understand I wouldn't panic yet. The next part in the example above is -c which simply tells the program to create the passwdfile and that if the file already exists, it is rewritten and truncated. The next part of the line in the example above is /home/website/members/.htpassword and this is the location that you want the username and password to be stored. Again if you do not know your location or where you should place this file you might want to contact your webshost. Finally the last part in the example above which says username should be replaced with whatever the name is that you want to use for the username. Choose your names wisely.
Now hit the enter button and the program should prompt you for a password to use, type in the password and then hit the enter button again. It will then ask you to re-enter the password to make sure you entered it right. When you type in your password you might notice that nothing seems to be happening on your screen, that is normal. That is it!
If you ever need to remove usernames an easy way to do this would be to use a simple editing program such as notepad or pico to edit the .htpasswd file and simply remove the entire line that contains the username and password.
Encrypt Program
If you are unable to obtain access to SSH or telnet you might want to try our alternate method to creating your password file. This way encrypts your passwords by using a CGI script which you can download from this page. This will allow you to enter a password that you choose and it will display the encrypted result. This result can then be copied and pasted into your password file. When you use this program you should use it on the same server that you will be storing your .htaccess file and password file.
Download this encrypt zip file for the encryption program. Inside you will find a program called transform.cgi. You must make this script executable by either placing it in a cgi-bin or by setting the permissions to 755 (you may have to do both).
If you cannot change the file permissions on your server but you have a cgi-bin then upload the files there. Hopefully you can change your file permissions in that directory. If you cannot use cgi scripts or if you cannot change file permission you will not be able to use this small program.
Some of you might need an explanation on what it means to chmod a file to the permissions 755. There are three basic users: owner, group, and everyone. The following abbreviations are used to represent these: O = OWNER, G = GROUP, E = EVERYONE. There are also three different permissions you can set r = READ, w = WRITE, e = EXECUTE. READ is worth 4 points, WRITE is worth 2 points, and EXECUTE is worth 1 point.
chmod 644 O = r,w
G = r
E = r
chmod 755 O = r,w,e
G = r,e
E = r,e
So if we take 755, the OWNER would represent the first number 7. For OWNER we have R, W, and E (READ, WRITE and EXECUTE). The R is worth 4 points, the W is worth 2 points, and the E is worth 1 point. Add that up and you get 7. The next number in 755 would be the 5. The only two that add up to 5 would be READ (4) plus EXECUTE (1). So the permission on the second number, which represents GROUP permissions, would be READ and EXECUTE. The same goes for the last number which represents EVERYONE (sometimes known as WORLD) permissions.
Inside the zip file you will also find encrypt.html which you should place in the same directory as transform.cgi. You can place it in a different directory if you want, but you will have to edit some of the html so that it points to the cgi script. Once you have both files transform.cgi and encrypt.html on your server you can then go to your site and load encrypt.html. In the box enter the password you want and hit encrypt to display the encrypted password.
Now you should be almost set. Lets revisit this example:
username:Gp9Fv9gvsJeTeA
jenifer:YKcd8d44vlqw54
scott:PUJ73ef.jrfi4HG
Your username should not be encrypted so you can type it just like it is, as we have done in the example above. After the username place a colon. Immediately following that place the encrypted password you obtained from using the encrypt script. Once done you will need to save your file and upload it to the directory that you had specified in the ".htaccess" file from earlier. That is it! Now go to your site and try to enter your protected directory. You should be prompted to enter a username and password. Enter one of your usernames and passwords from your password file to gain access.
