WIT 2003
Password-protecting a directory

Here's stuff from Mitch Marks:

Date: Sat, 26 Jul 2003 19:14:33 -0500 (CDT)
From: Mitch Marks <mitch@cuip.net>
To: Shaz Rasul <shaz@cuip.net>
Cc: server@cuip.net, Marty Billingsley <marty@vertex.ucls.uchicago.edu>
Subject: Re: password protection for individual pages.

On Sat, 26 Jul 2003, Shaz Rasul wrote:

>
> Mitch -
>
> Some of our participants have asked to put passwords on particular pages
> in their websites. Is there a "best" way to do this? Is there some
> convention you'd like us to use?
>
> please advise,
>
> -SR.

This can be selected by directory (or tree in fact), but not individual
page within a directory. If they don't want their whole site restricted,
they need to make a subfolder and put the restricted pages there.

Inside the folder to be restricted, make a file called ".htaccess". It has
to be called exactly that. Apache looks for those and accepts directives
about handling things at that folder and the tree below. One of those
options is password-based access restriction, which will say where the
password file is that you want used.

There are thus two main steps:

1. Add a ".htaccess" file, with the restriction and thre
designation of where the password file is. This can be done in a text
editor on the PC then uploaded, or created in place from a Linux shell.

2. Create the password file, with the location and filename
you've used when writing about it. You can't upload this, you create it
by running "htpasswd". It's recommended that the location be in the
user's home directory, but *not* in their www.

Enough overview, here are the specifics, by example mostly:

1. A ".htaccess" to produce password restriction:

AuthType Basic
AuthName "test restriction"
AuthUserFile /home/mitchell/web-users
Require valid-user

First line: use literally AuthType Basic
Second line: freely choose the name to go in the quotes. The browser will
show this to the visitor in one way or another, depending on the
browser.
Third line: Give the intended path to the password file. For personal web
areas, put it under /home/USER/ somewhere, but not within
/home/USER/www/.
Fourth line: use literally Require valid-user

2. Create the password file by running htpasswd

You can run "htpasswd --help" for a usage summary.

Here I run it four times, once with the creation flag and thereafter
without. Be wary about that -c flag: use it once and once only, otherwise
it could wipe out your password file. The third and fourth time
illustrate entering the password from the command line, an option new to
me. The first three are apparently individually assigned passwords, while
the fourth is apparently one to hand out -- I say "apparently" because
there's no formal difference in how these get handled.

[6:57pm] mitchell@cuip:~ 229> htpasswd -c /home/mitchell/web-users
MartyBillingsley
New password: [I typed it in]
Re-type new password: [I retyped it]
Adding password for user MartyBillingsley

[6:58pm] mitchell@cuip:~ 232> htpasswd /home/mitchell/web-users ShazRasul
New password: [I typed it in]
Re-type new password: [I retyped it]
Updating password for user ShazRasul

[6:59pm] mitchell@cuip:~ 233> htpasswd -b /home/mitchell/web-users BenBuckley w03theta
Adding password for user BenBuckley

[7:08pm] mitchell@cuip:~ 235> htpasswd -b /home/mitchell/web-users WITGuest dewey
Adding password for user WITGuest

So where is the web page you've just been given valuable access to?
Nowhere in fact ... but anywhere that the .htaccess file says this is the
password file to use.

Can different .htaccess files refer to the same password file? Sure.

Can the .htaccess refer to the system password file? No, it's a different
format, and the one with the passwords is not readable.

So how do I make the web access depend on their regular login and
password? Sorry, you can't do that. At best, you could ask your intended
visitors for their passwords, or have them enter them. But when they
later change their system passwords, that won't update the ones for your
web pages.

So what does that password file end up looking like? Here:

[7:08pm] mitchell@cuip:~ 236> cat /home/mitchell/web-users
MartyBillingsley:26GlH0pRxoOGQ
ShazRasul:VI5xJF7/KwDZU
BenBuckley:I9r/SQokZMQSM
WITGuest:xdxH86yPJsgdg