|
|
PIRL User Notes |
|
|
|
If you would like to place directories on your personal web page under password protection on the PIRL systems, this document is for you. We are not going to explain all of the details of this process because they are better explained in other locations. Below, we provide a recipe for password protecting your directories, but we encourage you to read through the appropriate Security Tutorials on the Apache site for more detailed descriptions of why we tell you to do these things.
Let's say I have my personal web page in my public_html
directory (~/public_html) which can be reached at the web address
of http://pirlwww.lpl.arizona.edu/~username. Within that
webpage, I have a directory called secured (reachable
via http://pirlwww.lpl.arizona.edu/~username/secured) that
I would like to place password protection on, such that anytime someone
tried to go to http://pirlwww.lpl.arizona.edu/~username/secured
they would be asked for a username and password or the webserver wouldn't
let them see it.
In order to accomplish this, we need to create two files: a password file that contains user information and an access file that the webserver looks for to instruct it how to do things.
First let's create that password file. To do so, we need to run the htpasswd command. You can use htpasswd to create your password file like this:
htpasswd -c ~/public_html/secured/.htpasswd username
The program will then ask you for the password for this username.
The username can be anything you want, it isn't tied to
system usernames.
The -c option indicates that you are creating the file,
if you want to add a second user to the file later, leave out the
-c.
Also, the above command created a password file called
~/public_html/secured/.htpasswd. You can call it whatever you
want, but this works pretty well. WARNING: DO NOT use your
PIRL system password for this password. The password file
that you are generating for use with your webpages is in your
directories and is not as secure as the system password file. If you
use your system password for this don't be surprised if this file gets
read by bad guys, and they use that password to crack your system
account. You have been warned.
Now that you have the password file, we just need to create the access file. This access file must be named .htaccess (with the leading period), otherwise the webserver won't be able to find it (just like your web pages must be in a directory called public_html). We'll use our favorite text editor to create and edit a file in our ~/public_html/secured directory called .htaccess, and in it, we'll place the following lines:
AuthType Basic
AuthName "My Secured Area"
AuthUserFile /home/pirl/username/public_html/secured/.htpasswd
require valid-user
In this case, the argument to AuthUserFile is a filepath,
so replace username with your PIRL username.
Now with both the .htpasswd and the .htaccess files,
whatever directory they are in (and all of that directory's sub-directories)
are now under password protection by the webserver.
Again, this is just the nitty-gritty on how to password-protect your directories. There is a lot of functionality for this kind of security mechanism, and we highly suggest that you read through the Security Tutorials on the Apache site for a complete treatment of these issues. The level of security afforded by this method is adequate, but not high. If you have data that you feel requires a greater amount of protection or you have different authorization requirements, please consult webmaster@pirlmail.lpl.arizona.edu for more information.
|
Lunar &
Planetary Lab