dcsimg

Securing Your Web Pages with Apache Page 9

By Ken Coar (Send Email)
Posted Jun 29, 2000


mod_auth
This is the basis for most Apache security modules; it uses ordinary text files for the authentication database. Entries are of the form "username:password"; additional fields may follow the password, separated from it by a colon, but they're ignored.

mod_auth_db
This module is essentially the same as mod_auth, except that the authentication credentials are stored in a Berkeley DB file format. The directives contain the additional letters "DB" (e.g., AuthDBUserFile).

mod_auth_dbm
Like mod_auth_db, save that credentials are stored in a DBM file.

mod_auth_anon
This module mimics the behaviour of anonymous FTP; rather than having a database of valid credentials, it recognises a list of valid usernames (i.e., the way an FTP server recognises ftp and anonymous) and grants access to any of those with essentially any passwords. This module is most useful for logging access to resources and keeping robots out than it is for actual access control.

mod_auth_digest
Whereas the other discretionary control modules suuplied with Apache all support Basic authentication, mod_auth_digest is currently the sole supporter of the Digest mechanism. It underwent some serious revamping in 1999, and the new version is currently considered 'experimental,' but no problems have been identified with the new code and it's likely to be moved back into the standard stable soon. Like mod_auth, the credentials used by this module are stored in a text file. Digest database files are managed with the htdigest tool. Using mod_digest is much more involved than setting up Basic authentication; please see the module documentation for details.

Allowing Users to Control Access to Their Own Documents

All of the security-related module directives can be used in per-directory .htaccess files. However, in order for Apache to pay attention to them, the directories in question need to be within the scope of a AllowOverride directive that includes the AuthConfig (for discretionary controls) or Limit (for mandatory controls) keywords. For instance, a standard Linux installation of Apache can enable this with the following lines in the httpd.conf file:


  
    <Directory /home/*/public_html>
        AllowOverride AuthConfig Limit
    </Directory>
  

Using Your System passwd File

This is a common request, and an incredibly bad idea: "How can I use my system's /etc/passwd file as my Web authentication database?"

The simple answer is: you don't. I'll just list a couple of reasons:

  1. If someone manages to crack the username and password of someone accessing a Web page, that person can now log onto your system. (Remember, most of the Web authentication uses the Basic method, which is incredibly simple to crack.)



Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.