Hi Eric,
I am trying to setup user authentication on my SUSE 9.0 box and I keep=20 running into 500 errors, or the username and password will not work in=20 the pop up window. The errors I get in the logs are: =20 [Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] (2)No such=20 file or directory: Could not open password file: /etc/apache/.htaccess [Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] user admin not= =20 found: /
--> Just a thought: have you check the ownership and access rights of /etc/apache/.htaccess ? On my SuSE 9.0 system, the process "httpd" runs as user "wwwrun". So=20 /etc/apache/.htaccess should be readable by user "wwwrun" and probably=20 not by anyone else (to protect from local users). HTH, Armin --=20 Am Hasenberg 26 office: Institut f=FCr Atmosph=E4renphysik D-18209 Bad Doberan Schloss-Stra=DFe 6 Tel. ++49-(0)38203/42137 D-18225 K=FChlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Armin Schoech wrote:
Hi Eric,
I am trying to setup user authentication on my SUSE 9.0 box and I keep=20 running into 500 errors, or the username and password will not work in=20 the pop up window. The errors I get in the logs are: =20 [Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] (2)No such=20 file or directory: Could not open password file: /etc/apache/.htaccess [Thu Sep 09 12:00:24 2004] [error] [client 192.168.1.103] user admin not=
=20
found: /
--> Just a thought: have you check the ownership and access rights of /etc/apache/.htaccess ?
On my SuSE 9.0 system, the process "httpd" runs as user "wwwrun". So /etc/apache/.htaccess should be readable by user "wwwrun" and probably not by anyone else (to protect from local users).
There is an acl in apache-config (Apache 1.x and 2.x) that disallows the reading of .ht* files. 500 Error is an internal server error and means something in your .htaccess file is not supported by the server. Userauthentification via .htaccess goes this way: You make a .htaccess file and a .htpasswd file for authentification. .htaccess: AuthType Basic AuthName "Please authentificate yourself!" AuthUserFile /path-to-authentificationdir/.htpasswd require user USERNAME .htpasswd is generated by typing "htpasswd -cm .htpasswd USERNAME PASSWORD". Type "htpasswd --help" for help! Afterwards do edit your files and change filerights like the follows: #use the intended webuser here! chown .ht* wwwrun:nogroup chmod o+r .htaccess chmod o+r .htpasswd Now you should have password protected Webfolders. If not you have to change apache config file which settings can be changed by .htaccess files (there should be an example in the config!). Depending on which modules are loaded apache can set much more options in .htaccess file (even for php ...). Not all are supported by SuSE's shipped apache 1/2, because on module is missing (I forgot the name). We got a webscript at our university for making .htaccess authentification. You better shange .passwd to .htpasswd. Here you find it (german version, but it is self explaining): http://www.uni-duisburg.de/HRZ/services/alle/internet/www/htaccess/ Philippe
* Philippe Vogel wrote on Fri, Sep 10, 2004 at 10:31 +0200:
AuthType Basic
(which means clear text unless https is used, just BTW)
#use the intended webuser here! chown .ht* wwwrun:nogroup
yeah, especially not "nogroup" because that group shouldn't own files.
chmod o+r .htaccess chmod o+r .htpasswd
I must admit that I also dislike o+r, because trival passwords are quickly cracked when the crypt string is known and many people reuse passwords all over (not only for some web pages where it may not matter). I propose to use <webmaster>:<wwwrun> with mode 0640. However, tihs depends if you have users on the web server, e.g. when they access ~/public_html or such. That files should of course belong to that user :)
Now you should have password protected Webfolders. If not you have to change apache config file which settings can be changed by .htaccess files (there should be an example in the config!).
Yeah, but also take care that by this you don't allow users to much! If they can add FollowSymLinks (instead of symlinks if owner match) they can read files the webserver has access to - and who knows what else :)
We got a webscript at our university for making .htaccess authentification. You better shange .passwd to .htpasswd. Here you find it (german version, but it is self explaining):
http://www.uni-duisburg.de/HRZ/services/alle/internet/www/htaccess/
It is really amazing what people automate... In the past a simple $EDITOR was sufficient for adminstration, now you need a graphical browser :-) SCNR. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Armin Schoech
-
Philippe Vogel
-
Steffen Dettmer