![[APACHE DOCUMENTATION]](../images/sub.gif)
Apache HTTP Server Version 2.0
Apache Module mod_auth
|
Summary
This module allows the use of HTTP Basic Authentication to
restrict access by looking up users in plain text password and
group files. Similar functionality and greater scalability is
provided by mod_auth_dbm. HTTP Digest
Authentication is provided by
mod_auth_digest.
Directives
See also
AuthAuthoritative Directive
|
This information has not been updated for Apache 2.0, which uses a different system for module ordering.
Setting the AuthAuthoritative directive
explicitly to 'off' allows for both
authentication and authorization to be passed on to lower level
modules (as defined in the Configuration and
modules.c files) if there is no
userID or rule matching the supplied
userID. If there is a userID and/or rule specified; the usual
password and access checks will be applied and a failure will give
an Authorization Required reply.
So if a userID appears in the database of more than one module;
or if a valid Require
directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.
A common use for this is in conjunction with one of the
database modules; such as auth_dbm,
mod_auth_msql, and mod_auth_anon.
These modules supply the bulk of the user credential checking; but
a few (administrator) related accesses fall through to a lower
level with a well protected AuthUserFile.
By default; control is not passed on; and an unknown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NCSA compliant behaviour.
Security
Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database such as mSQL. Make sure that theAuthUserFileis stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download theAuthUserFile.
AuthGroupFile Directive
|
The AuthGroupFile directive sets the
name of a textual file containing the list of user groups for user
authentication. File-path is the path to the group
file. If it is not absolute (i.e., if it doesn't begin
with a slash), it is treated as relative to the ServerRoot.
Each line of the group file contains a groupname followed by a colon, followed by the member usernames separated by spaces. Example:
mygroup: bob joe anne
Note that searching large text files is very
inefficient; AuthDBMGroupFile should be used
instead.
Security
Make sure that the AuthGroupFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthGroupFile.
AuthUserFile Directive
|
The AuthUserFile directive sets the name
of a textual file containing the list of users and passwords for
user authentication. File-path is the path to the user
file. If it is not absolute (i.e., if it doesn't begin
with a slash), it is treated as relative to the ServerRoot.
Each line of the user file file contains a username followed by
a colon, followed by the crypt() encrypted
password. The behavior of multiple occurrences of the same user is
undefined.
The utility htpasswd
which is installed as part of the binary distribution, or which
can be found in src/support, is used to maintain
this password file. See the man page for more
details. In short:
Create a password file 'Filename' with 'username' as the initial ID. It will prompt for the password:
htpasswd -c Filename username
Adds or modifies in password file 'Filename' the 'username':
htpasswd Filename username2
Note that searching large text files is very
inefficient; AuthDBMUserFile should be used
instead.
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthUserFile.
