Mosaic User Authentication Tutorial
General Information
There are two levels at which authentication can work: per-server and per-directory.
This tutorial covers per-directory authentication, which is what is available
on your virtual web server. Per-directory authentication means that users
with write access to part of the filesystem that is being served can control
access to their files as they wish. They need not have root access on the
system or write access to the server's primary config files.
Access control for a given directory is controlled by a file named .htaccess
that resides in that directory. The server reads this file on each access
to a document in that directory (or documents in subdirectories).
By-Password Authentication: Step By Step
So let's suppose you want to restrict files in a directory called turkey
to username pumpkin and password pie. Here's what to do:
First, you will need to determine where your directory is. The
values that will vary from the standard form are the third, fourth, fifth
and sixth directory paths. These values are referred to as x,
yy, [login] and www.[domain.com]. [login] is your ftp login
name, and www.[domain.com] is your domain with the proper ending (.com,
.net, .org, etc). x and yy consist of hexadecimal digits,
and can be determined by running the pwd command from your home
directory. They are the third (x) and fourth (yy) directories
listed. Here is what I mean. Running pwd would give
an output we would generalize as this - /u/home/x/yy/[login]/www.[domain.com].
Keep these three values in mind to replace them accordingly where referenced
below.
Create a file called .htaccess in directory turkey that
looks like this:
AuthUserFile /u/home/x/yy/[login]/www.[domain.com]/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET>
require user pumpkin
</Limit>
Note that the password file will be in another directory (~/pw).
Also note that in this case there is no group file, so we specify /dev/null
(the standard Unix way to say "this file doesn't exist").
AuthName can be anything you want. AuthType should always
currently be Basic.
Create the password file ~/pw/.htpasswd.
The easiest way to do this is to use the htpasswd program that is on
the server already. Do this:
cd ~/pw (enter)
htpasswd -c .htpasswd pumpkin
Type the password -- pie -- twice as instructed.
Change permissions on the file so the server can access it. Do this:
chmod 644 .htpasswd
Check the resulting file to get a warm feeling of self-satisfaction;
it should look like this:
pumpkin:y1ia3tjWkhCK2
That's all. Now try to access a file in directory turkey -- your
browser should demand a username and password, and not give you access
to the file if you don't enter pumpkin and pie. If you are
using a browser that doesn't handle authentication, you will not be able
to access the document at all.
How Secure Is It?
The password is passed over the network not encrypted but not as plain
text -- it is "uuencoded". Anyone watching packet traffic on the network
will not see the password in the clear, but the password will be easily
decoded by anyone who happens to catch the right network packet.
So basically this method of authentication is roughly as safe as telnet-style
username and password security -- if you trust your machine to be on the
Internet, open to attempts to telnet in by anyone who wants to try, then
you have no reason not to trust this method also.
Multiple Usernames/Passwords
If you want to give access to a directory to more than one username/password
pair, follow the same steps as for a single username/password with the
following additions:
Add additional users to the directory's .htpasswd file.
Use the htpasswd command without the -c flag to add additional
users; e.g.:
htpasswd ~/pw/.htpasswd peanuts
htpasswd ~/pw/.htpasswd almonds
htpasswd ~/pw/.htpasswd walnuts
Create a group file.
Call it ~/pw/.htgroup and have it look something like this:
my-users: pumpkin peanuts almonds walnuts
... where pumpkin, peanuts, almonds, and walnuts
are the usernames.
Then modify the .htaccess file in the directory to look like
this:
AuthUserFile /u/home/x/yy/[login]/www.[domain.com]/.htpasswd
AuthGroupFile /u/home/x/yy/[login]/www.[domain.com]/.htgroup
AuthName ByPassword
AuthType Basic
<Limit GET>
require group my-users
</Limit>
Note that AuthGroupFile now points to your group file and that
group my-users (rather than individual user pumpkin) is now required
for access.
That's it. Now any user in group my-users can use his/her individual
username and password to gain access to directory turkey.
