Content
Introductory
The directory structure and subdirectories of our website can be easily password protected with HTTP authentication. We need one to operate this Apache HTTP server, one set up properly .htaccess file and a user and password store . Htpasswd file.
In this little tutorial, we'll show you how to create new users, change their passwords, or delete them . Htpasswd file for this purpose htpasswd command.
Installation of a necessary program package
If it hasn't been uploaded to our machine yet apache2-utils package, install it with the following command:
sudo apt-get install apache2-utils
The program package also contains the htpasswd command, which is the subject of the description.
Create a new user
With HTTP authentication, each web subdirectory must be protected separately, so log in to the subdirectory that you want to password protect.
In the directory, run the following command to create a user named "user":
htpasswd -c ./.htpasswd felhasznalo
A -c option to tell the htpasswd command that you need to create a new output file. If you specify a non-existent output file, and -c without a switch, it gives the following error:
htpasswd: cannot modify file ./.htpasswd; use '-c' to create it
(In this case, after running the command, we get an 1 error code in $? So we can handle it well in scripts.)
And if the -c switch and it will definitely create a new file. So you need to make sure that the output file exists before you can use it, so that you don't overwrite an earlier file that might already have users.
The command then prompts you for a new password and then asks for a repeat so that we can eliminate the spoofing. Then, after successful creation, enter:
Adding password for user felhasznalo
So using the htpasswd command is very simple. Then, looking at the .htpasswd file we created, we find it (with the "12345" password):
felhasznalo:$apr1$o3UQr8fo$QGMuDGbSC0TPha6ud8KGW0
Now that our file already exists, -c create our second user without a switch:
htpasswd ./.htpasswd felhasznalo2
Here again I entered the password "12345".
And now our .htpasswd file contains:
felhasznalo:$apr1$o3UQr8fo$QGMuDGbSC0TPha6ud8KGW0 felhasznalo2:$apr1$2E9j3TXC$75bLkOfYpAIK4YJWBkbd60
What is striking here is that the encoding algorithm is MD5 by default. Of course, there are several coding algorithms to choose from, but this is perfectly good.
Change password
To change your password, you just need to run the command again on an existing .htpasswd file with an existing username and no option to create a new file. So, if you want to change your password for example2, enter the following command:
htpasswd ./.htpasswd felhasznalo2
In this case, the output is:
Updating password for user felhasznalo2
And the file contains:
felhasznalo:$apr1$o3UQr8fo$QGMuDGbSC0TPha6ud8KGW0 felhasznalo2:$apr1$CrIm8Kkj$BvmxRhvQp4A2m8e.3agFa0
Thus, while the record of the first user remains intact, the second is modified.
Delete user
User the htpasswd command -D switch to delete:
htpasswd -D ./.htpasswd felhasznalo2
(Note that the switch is a capital letter D. The small switch d sets a different encryption, so it has a different function)
Answer output:
Deleting password for user felhasznalo2
File contents:
felhasznalo:$apr1$o3UQr8fo$QGMuDGbSC0TPha6ud8KGW0
Verify your password
It is also possible to verify the passwords of the users in our .htpasswd files. And this is it -v with switch:
htpasswd -v ./.htpasswd felhasznalo
Here we check the password of the "user" in the given password file.
There are several possible variants of running this command:
Same password
If everything is fine (password file, user exists and password is good), we get this output:
Password for user felhasznalo correct.
$? error code: 0
Password file not found
If you enter a non-existent file, for example typed, then here too an error message stops right away (here I typed it directly):
htpasswd: cannot modify file ./.htpasswda; use '-c' to create it
$? error code: 1
Wrong password
If you have the password file and the specified user, but the password is incorrect, enter:
password verification failed
$? error code: 3
User does not exist
And if we try to check for a user that doesn't exist, then this output is:
User felhasznalo2 not found
$? error code: 6
So here are these possible outputs and error codes.
Error codes can be used very well in our automation scripts, for example.
Automate the management of HTTP users
The htpasswd command also offers the ability to automate scripts. There are two ways to do this:
Command line mode
A command line modewith him -b using the switch does not prompt for passwords from the keyboard, but waits for it as a parameter. This allows you to perform the desired user action in the .htpasswd file by running a single command.
For example, add a user named "autouser1" to our previous password file with the password "123 45":
htpasswd -b ./.htpasswd autouser1 "123 45"
The command runs from here on as in the typing method. So the output and the result are the same.
Pipeline mode
Now I suddenly came up with this name for this usage, which is that the command -i switch waits for the password from standard input (stdin) without confirmation. So you can get the password from another program on a pipeline. This method is secure because the password is never added to the command line. This switch can be used from Apache version 2.4.4.
Let's also see an example:
echo "abc def" | htpasswd -i ./.htpasswd autouser2
Continuing our previous password file, we now output the echo command on the pipeline to htpasswd so that you can use the password as the password. -i switch to create a user named "autouser2".
Of course, the echo command can be replaced by any program that generates the correct password on standard output. Like one MySQL you can get passwords from a database system.
Once the user is successfully created, we will look at the file:
felhasznalo:$apr1$o3UQr8fo$QGMuDGbSC0TPha6ud8KGW0 autouser1:$apr1$xrVnm4S4$.Zkv28XTKb/Jp2tdtuSky. autouser2:$apr1$Wbfjq/E1$95qLB8jbqemxGs5RCB5hV1
Autouser2 has been included, so we can now test whether our passwords with spaces really work:
htpasswd -v -b ./.htpasswd autouser2 "abc def"
Here, I just used the -b switch to execute the test on a command line.
And the output is right:
Password for user autouser2 correct.
Let's test HTTP authentication!
If you've done so much with managing your password file, let's try our guess at running it.
Create a password in the web directory to be password protected .htaccess or, if one already exists, open it for editing.
Add the following few lines (if you already have something in it, you might want to put it first):
AuthName "Jelszo vedett terulet!" AuthType Basic AuthUserFile /abszolut/utvonal/a/jelszofajlhoz/.htpasswd require valid-user
Then calling the page in the browser where we placed the .htaccess file, nicely enters the login window where we can log in with the users and passwords in our file.
Of course, you also need some destination file that you want to load, say index.php or index.html, etc., so that you don't give 404 an error.
This can also be done by storing all users in a common password file and referring to the same .htpasswd file in the directories to be protected. This allows us to centrally manage our HTTP users.
In the first line, where we specify the text of the login window and usernames, we can only use ASCII characters, so the accented characters at the top of the window will be badly coded, and usernames will not work, so we will avoid them. About this I found a description here.
Troubleshooting
If the same user is specified in two separate protected directories with the same domain name, but with different passwords, they will "collide" because the browser does not memorize the credentials in subdirectories, but associates them with the domain name.
Example:
If one subdirectory of a web page has one web statistic and another has one phpMyAdmin system, or whatever, and in both subdirectories you specify admin for HTTP authentication, but with different passwords, logging in will work for both first, but after logging in second, the browser will drop out of the first place because the password you entered earlier is no longer there.
In this case, the following similar line is added to the Apache error.log file:
[Sat Nov 10 00:18:30.658843 2018] [auth_basic:error] [pid 3679] [client xxx.xxx.xxx.xxx:31173] AH01617: user admin: authentication failure for "/": Password Mismatch, referer: https://www.domainnév/védett_könyvtár/
I only wrote this because it's a pretty sneaky mistake, it's hard to spot and unravel. Especially when on our server Fail2Ban even in operation then it even disables us if Apache filters are enabled. I've managed to get through this pretty much the same way.
Therefore, the previous solution is to use a different HTTP username in each protected directory. Or if you want to use the same thing anyway, the passwords must also match so you don’t throw out the browser.
If you accidentally disable yourself while trying HTTP authentication, then in this description we can find a cure for it.
Conclusion
So that would be to manage the users and passwords required for HTTP authentication in the .htpasswd files. This is the easiest way to get everything from simple directory protection to a complex, database-based, user-friendly, command-line scripting-based authentication system, just be aware of the limited character encoding options and avoid passing passwords as a command line parameter.
- To post registration and login required
- 227 views