Updated 13 July 2006

© 2006  LogiQwest, Inc. All rights reserved.

q-Status Logo

Solaris Logo


Index

Introduction

Installation

Custom Setup

Apache Server

SSH Xfer

FTP Xfer

NFS Xfer

Group Management

Complex Servers

Sun Fire Config

Baseline Comparison

Golden Comparison

Customization

Directory Authentication (password)
Setup for Apache Web Server

Introduction

    The Apache Web Server provides password protection of directories in the DocumentRoot (e.g. httdocs). It is recommended that password protect be applied to the q-Status/Admin/ directory as administation functions allow creation of baseline data, golden parmeters, group server classsifications and updates for serial numbers.

    Establishing authentication protection for a directory requires:

  • Modifying Apache httpd.conf file.
  • Creating a password file
  • Creating a group file
  • Creating .htaccess
  • The following describes a "Basic" method to set up such an authentication.

Modifying the Apache Server Configuration File

Edit the /etc/apache/httpd.conf configuration file. Scan the file for the string pattern ".htaccess". This will locate a description of .htaccess control options. Below the description is a parameter "AllowOverride". The value of this parameter should be set to "All":

httpd.conf

From

# This controls which options the .htaccess files in 
# directories can override. It can also be "All", or any 
# combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"
#
    AllowOverride None

To

# This controls which options the .htaccess files in
# directories can override. It can also be "All", or any
# combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"
#
    AllowOverride All

Note: The "AllowOverride" parameter also appears in a couple of other places in the "httpd.conf" file but is surrounded by the constructs

          <Directory>
              ----
          </Directory> 

Edit "AllowOverride" which is not surrounded by such a constructs as this is the global parameter.

Restart the Apache Web Server

Using the apachectl command to restart the Apache web server for the changes to take place.

#/usr/apache/bin/apachectl stop
/usr/apache/bin/apachectl stop: httpd stopped
#/usr/apache/bin/apachectl start
/usr/apache/bin/apachectl start: httpd started

Creating an Authorization Directory

To establish a password authentication directory, three files must be create:

  • password file
  • group file
  • .htaccess file.

The names of the group file and the password file are user defined in the .htaccess file, but the .htaccess must always be called .htaccess. This file is placed in the directory that will be password protected. The location of the password and group files should be above the hierarchy of the htdocs directory for security reasons. A suggestion is to create a new directory called "auth" (for authentication) under /etc/apache directory where the password and group files will be located.

# cd /etc/apache
# mkdir auth

Creating the Password and Group File

Creating a new password file using the /usr/apache/bin/htpasswd command in the new auth directory.

For example, we will assign a general user called "admin" with the password "admin1". We will also define the names of the password and group files to be restricted.pwd and restricted.grp.

# cd /etc/apache/auth
#/usr/apache/bin/htpasswd -c restricted.pwd admin
New password:admin1
Re-type new password:admin1
Adding password for user admin

The new restricted.pwd file should look like this:

# cat restricted.pwd
admin:u3wqEH8rQdcWQ

The structure of the group file consists of a group name followed by an assigned user name separated by a colon (:). As an example we will define a group called system. In the auth/ directory we create a file restricted.grp that looks like this:

# cat restricted.grp
system:admin

Creating the .htaccess file

The .htaccess defines the location of the password and group file and must be located in the directory that is to be authenticated. The following authentication parameters are defined in the .htaccess file:

Parameter

Description

AuthType

should be "Basic"

AuthName

defines a string that is displayed in the login screen

AuthUserFile

defines the location of the password file

AuthGroupFile

defines the location of group file

require

should be "valid-usr" or "valid-group"

In the example, the .htaccess file should look like this:

AuthType Basic
AuthName "My Company [login info contact webmaster@myweb]"
AuthUserFile /etc/apache/auth/restricted.pwd
AuthGroupFile /etc/apache/auth/restricted.grp
require valid-user

After this file is created, test the restricted directory by calling it from your web browser. For our example, you will see the following prompt screen.

Note: A text string "My Company[for login info contact webmaster@myweb]" in the login was defined by the AuthName parameter from the .htaccess file.

The required parameter can ask for group instead of user. But the .htaccess file must define the location of both the authentication password and group file.