Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#90882 - 28/04/2002 23:01 Password-protected sites
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
For an organization I'm in, I'm trying to create a members only section. We had one in a place where our site was previously located, set up by someone else, and we had to move and don't have that person's help anymore.

We didn't have one of those cheesy javascript password screens, either. I believe it was one of the usual ones that require login and pass.

I also had all the files from the old site location on my computer. I attempted to just copy them over to the new location, but it doesn't seem to work.

The last time I talked about this, people talked about .htaccess files, and someone posted a link about them. I remember I tried the things I read from that site, but it told me I needed to telnet into the site and make changes to the .htaccess files. Unfortunately, I can't telnet into the site at all.

Any help you guys can give me?
_________________________
Matt

Top
#90883 - 28/04/2002 23:29 Re: Password-protected sites [Re: Dignan]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
HTTP Authentication can be done with PHP if it is running as an Apache module (on an Apache server of course).
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#90884 - 28/04/2002 23:58 Re: Password-protected sites [Re: ricin]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Wouldn't this have to be placed on every page you wanted to protect? The way we had it before, we could protect every single file and directory one folder and its subfolders.
_________________________
Matt

Top
#90885 - 29/04/2002 00:50 Re: Password-protected sites [Re: Dignan]
justinlarsen
old hand

Registered: 31/12/2001
Posts: 1109
Loc: Petaluma, CA
have u ever used .htaaccess files?
_________________________
---- Justin Larsen

Top
#90886 - 29/04/2002 01:16 Re: Password-protected sites [Re: Dignan]
ricin
veteran

Registered: 19/06/2000
Posts: 1495
Loc: US: CA
Depends on how it is coded. If it is done correctly you'd only need code to check for authentication, and you could have the code in another file and just require() it.

Also, you should be able to use .htaccess files by editing them on another machine and then uploading them to the server. Your only problem would be creating a htpasswd file, which you could overcome by using htpasswd on another machine. Don't quote me on that, as I've never tried it, but it should work.
_________________________
Donato
MkII/080000565
MkIIa/010101253
ricin.us

Top
#90887 - 29/04/2002 11:11 Re: Password-protected sites [Re: ricin]
cwillenbrock
enthusiast

Registered: 30/12/2000
Posts: 249
Loc: Dover, NJ
Also, this isn't your only option. Using PHP, you can create a login system using session variables, and stick login-checking code into an auto-prepend file, so that it's automagically require()'d into ever PHP page. The downsides are 1) you need to configure PHP with an auto-prepend file, if it isn't already, and 2) it will only protect PHP files, or files that are processed by PHP in the configuration.
_________________________
- Chris Orig. Empeg Queue position 2

Top
#90888 - 29/04/2002 13:33 Re: Password-protected sites [Re: ricin]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Exactly. You just need to upload an .htaccess file and, possibly, an .htpasswd file to that directory, just as you would any other file. This assumes that your web server is running Apache and that the Apache administrator has given you the permissions to change server configs in .htaccess files. Also, the .htpasswd file can definitely be generated anywhere. It just uses the standard Unix crypt() function to generate the encrypted password, just like in a real passwd file.
_________________________
Bitt Faulk

Top
#90889 - 29/04/2002 13:43 Re: Password-protected sites [Re: wfaulk]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Okay, so how do I edit this file? I've looked in it, and it's only a few lines, but I didn't see where our previous passwords were stored. I might not fully understand how it all works. Actually, I'm pretty sure I don't.

Another problem is that when I'm uploading the .htaccess file (using CuteFTP) I can't see it in the directory once it's uploaded. Is that a bad sign?
_________________________
Matt

Top
#90890 - 29/04/2002 19:50 Re: Password-protected sites [Re: Dignan]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Auth in Apache is covered in this document.

You shouldn't be able to see the .htaccess file, otherwise people could see it and, perhaps, figure out how to circumvent it.
_________________________
Bitt Faulk

Top
#90891 - 29/04/2002 23:49 Re: Password-protected sites [Re: wfaulk]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Thank you very much for that link. It was all explained very well. I understand it much better now.

However, I do need to create the passwords somehow. The .htaccess file I have would work, but naturally the password files are located in a different directory on our new server, and even then, they wouldn't really exist because I've never created them.

So how do I create the passwords and with no access to where the Apache server wants to store them??
_________________________
Matt

Top
#90892 - 30/04/2002 08:46 Re: Password-protected sites [Re: Dignan]
Alexander
member

Registered: 02/05/2000
Posts: 108
Loc: SF Bay Area
Apache doesn't care where you put the password file, so how can you not have access to it?

Just put it in the same directory as the .htaccess file, call it .htpasswd, and then do something like this in the .htaccess:

AuthUserFile /usr/www/users/me/privatedir/.htpasswd

The link above tells you how to make the file.

Alex

Top
#90893 - 30/04/2002 10:19 Re: Password-protected sites [Re: Alexander]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
But that link seems to say you need to be at some sort of command prompt. I'll re-read it, though.
_________________________
Matt

Top
#90894 - 30/04/2002 11:39 Re: Password-protected sites [Re: Alexander]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
After reading it again, I still can't see anything that tells me how to make the password file like I was saying. I can't telnet into the server, and I certainly don't have physical access to it, so how can I type in prompts like those?

Yet another problem is that I'm not certain what my path is. I don't know where my organization's site is located on the server. Is there any way I can find this out myself with only basic FTP access?
_________________________
Matt

Top
#90895 - 30/04/2002 12:55 Re: Password-protected sites [Re: Alexander]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Do not put the .htpasswd file in the same directory. If it's there, someone could easially grab it and know all the users on the system, plus have an easy time at cracking the passwords.

The logo site uses .htaccess for logins, and the password file sits in a very restricted folder in my home directory, and no web address can access it.

Top
#90896 - 30/04/2002 14:38 Re: Password-protected sites [Re: Dignan]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
You needn't use that program on that server or even use that program at all. It just generates a file with mutiple lines in the format ``username:encrypted-password'', like ``wfaulk:Ki9njd0n''. You can generate the encrypted password by using the standard Unix crypt() function. If you have access to another Unix machine, you can use this source code to generate it:
#define _XOPEN_SOURCE

#include <stdio.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
if(argc<2) fprintf(stderr, "Usage: %s string [salt]\n", argv[0]);
else if(argc<3) printf("%s\n", crypt(argv[1], argv[1]));
else printf("%s\n", crypt(argv[1], argv[2]));
return(0);
}
(or you could just compile the htpasswd program.)
_________________________
Bitt Faulk

Top
#90897 - 30/04/2002 14:58 Re: Password-protected sites [Re: wfaulk]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Thanks for the help!

So this file has to be encrypted in order to work? Can I just create a file with the correct name and a log/pass in it and upload it to an obscure directory?

Also, our current .htaccess file has something I haven't seen in the links people have given here. It looks like this:
<Limit GET>
</Limit>

Also, what about the directory path thing?
_________________________
Matt

Top
#90898 - 30/04/2002 15:25 Re: Password-protected sites [Re: Dignan]
NiCKEL
journeyman

Registered: 27/02/2002
Posts: 59
Loc: Vancouver, BC, Canada
If you toss:
<?php
echo $u.":".crypt($p);
?>

Into a file, say pass.php, upload it to your website and then call it as
http://mysite.com/pass.php?u=USER&p=PASS
It will return a line for the user 'USER' with the password 'PASS' that you can throw into a password file.
-Geoff

Top