If you can see this check that

           prev section up prev page next page

User Authentication in Apache


Basic Authentication

User:
Password:

This tutorial is concerned with the configuration of Basic Authentication in apache.

Question 1: Create TOM

Build a user called "tom" to experiment with. Use

adduser tom

You also need to have the apache service (httpd) running.

Make sure your httpd.conf file supports User public_html directories. Look through the /etc/httpd/conf.d/userdir.conf file for a line:

  UserDir disable
Comment this line out (or delete it). Then look on a little further to find:
    #UserDir public_html
Delete (uncomment) the '#' comment character from the front of this line. As you have changed the configuration remember to reload the httpd service!

Now create a user called "tom", create a public_html directory in tom's home directory, and create a file p1.html in the public_html. The contents of this file should be:

<html>
<body>
<h1>TOM</h1>
<p>
Document body goes here.
</p>
</body>
</html>

Change the appropriate permissions on the /home/tom directories and files by the minimum amount possible to give apache permission to use the file.

Finally, SELinux is enabled in enforcing mode in Fedora 15 by default. This means you need even more security to overcome (configure). You need to make sure that the SELinux boolean httpd_read_user_content is enabled. By default SELinux is forbidden from reading any file in /home. Check with

getsebool  httpd_read_user_content
and if needed set it with
setsebool -P httpd_read_user_content 1
"setsebool" may take 20 or more seconds to run. It will finish, honest!

IN ALL CASES ENSURE tom owns ALL FILES AND DIRECTORIES in /home/tom AT ALL TIMES. Give yourself a break and do "su - tom" when you want to create stuff in /home/tom, then CTRL-D back to root for the admin stuff...

Tests - not attempted
Apache Running UNTESTED
UserDir seems to be disabled UNTESTED
Tom exists UNTESTED
Tom has a public_html which he owns UNTESTED
Tom has a home directory executable by others UNTESTED
Tom has a public_html executable by others UNTESTED
Tom has a file p1.html which he owns UNTESTED
p1.html is readable by others UNTESTED
p1.html contains the word TOM (case sensitive) UNTESTED
SELinux has been configured with httpd_read_user_content true UNTESTED
http://host/~tom/p1.html actually works UNTESTED

Question 2: Add two new directories/files

Create the following directories, each of which must be executable by others:

  • /home/tom/public_html/richard
  • /home/tom/public_html/harry

In each of these new directories create a file similar to p1.html, but called:

  • /home/tom/public_html/richard/p2.html
  • /home/tom/public_html/harry/p3.html

In "richard/p2.html" replace the word TOM with RICHARD. In "harry/p3.html" replace the word TOM with HARRY. Case is important.

Tests - not attempted
Can read http://../~tom/richard/p2.html UNTESTED
http://../~tom/richard/p2.html contains RICHARD UNTESTED
Can read http://../~tom/harry/p3.html UNTESTED
http://../~tom/harry/p3.html contains HARRY UNTESTED

Question 3: Basic Auth file

Create a password file for basic authentication. Remember this has nothing to do with normal unix users, and even less to do with /etc/passwd!

The htpasswd command allows you to create the file, and to add users to the file. Use it to create a basic authentication password file called "/home/tom/webpasswd". Put into this file two users with the following passwords:

User: richard              Password: pass1
User: harry                Password: pass2
Make sure that the password file is world readable.
Tests - not attempted
/home/tom/webpasswd exists and seems readable UNTESTED
Contents semi-sensible for richard? UNTESTED
Contents semi-sensible for harry? UNTESTED

Question 4: Secure richard/

Secure the public_html/richard directory so only a user with the basic authentication details of richard, password pass1, can access the files.

Tests - not attempted
Basic Auth needed on ~tom/richard/p2.html UNTESTED
Basic Auth using richard/pass1 works for ~tom/richard/p2.html UNTESTED
Basic Auth using harry/pass2 fails for ~tom/richard/p2.html UNTESTED

Question 5: Secure harry/

Secure the public_html/harry directory so only a user with the basic authentication details of group "magic" can access the contents.

To answer this question, create a group file "/home/tom/webgroup" with the following contents:

magic: richard harry

Make sure in the .htaccess file in the harry directory you use only "Require group" and not some sort of "Require user" command. And make sure all files in /home/tom are owned by tom...

Tests - not attempted
/home/tom/webgroup exists and seems readable UNTESTED
/home/tom/webgroup contains right magic: definition UNTESTED
No Require User in .htaccess UNTESTED
Using Require Group magic in .htaccess UNTESTED
Basic Auth needed on ~tom/harry/p3.html UNTESTED
Basic Auth using richard/pass1 works for ~tom/harry/p3.html UNTESTED
Basic Auth using harry/pass2 works for ~tom/harry/p3.html UNTESTED

Question 6: Complex requires/

  1. Add to your webpasswd file an extra user, "jim", with password "walton".
  2. Create a directory in public_html for "jim", called "jim", and create a file "p4.html" which is a copy of "p1.html" except you need to replace the word "TOM" with "JIM".
  3. Protect this directory with basic authentication (similar to harry), but this time configure it so that that access is only permitted by either user "jim" from 10.200.0.1, or user "harry" from 127.0.0.1. Do not use any implicit requires (i.e. say RequireAny or RequireAll rather than relying on the defaults).
Tests - not attempted
Jim seems to be in webpasswd UNTESTED
basic auth seems to be in the .htaccess file UNTESTED
Right no of requires test 1 UNTESTED
Right no of requires test 2 UNTESTED
User tests UNTESTED
IP tests UNTESTED
Basic Auth needed on ~tom/jim/p4.html UNTESTED
Basic Auth using jim/walton works for ~tom/jim/p4.html, 10.200.0.1 UNTESTED
Basic Auth using harry/pass2 fails for ~tom/jim/p4.html, 10.200.0.1 UNTESTED
Basic Auth using richard/pass1 fails for ~tom/jim/p4.html, 10.200.0.1 UNTESTED
Basic Auth using jim/walton fails for ~tom/jim/p4.html, 127.0.0.1 UNTESTED
Basic Auth using harry/pass2 works for ~tom/jim/p4.html, 127.0.0.1 UNTESTED
Basic Auth using richard/pass1 fails for ~tom/jim/p4.html, 127.0.0.1 UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2017 Gordon Russell. All rights reserved.