HTTP Authentication Using PHP CGI and Apache

Raven · Posted: Wed Sep 08, 2004 10:31 am

HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. This code has been tested on both PHP type of installations, CGI and as an Apache Module.

This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccess

Code:

<Files RELATIVE_PATH_TO_ID_PASS_FILE>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>

Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like this

Code:

/home/USERNAME/public_html/

So, let's assume that your secret file is named mysecretfile. I would make it hidden by naming it .mysecretfile. Now, the contents will be a username:password, like myusername:mysecretpass, except mysecretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile

. The salt value can be whatever you like. Save this script as a .php file, like crypt.php

Code:

<form method='post'>
Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>

So, upon entering your password of 'mysecretpass' with a salt of 'Rv' (remember it can be anything you want), we get an encrypted value of 'RvXXrWfFcualM'. So, we now place myusername:RvXXrWfFcualM in the .mysecret file. Note that we have also protected snooping eyes from directly accessing .mysecretfile (RELATIVE_PATH_FILE) by adding a 'deny from all' directive in the .htaccess file (you could also chmod the permissions to restrict it). In this instance the path is relative to the location of .htaccess so you would just substitute .mysecretfile. So, translating based on the above, your .htaccess file will look like

Code:

<Files .mysecretfile>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>

Now we upload .htaccess and .mysecretfile to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Please note that you cannot use both HTTP Auth in NukeSentinel(tm) and .htaccess HTTP Auth. It will give the browser a migraine Wink

. You can also move the .mysecretfile to any location outside of the root. Just modify the AuthUserFile location. In that case you could also remove the 'deny from all' directive as it is outside of the web toot.

Also, here is a quick little diddy to find out your REALPATH. Save this to your root web/nuke folder to discover the path and then delete it!

Code:

<?
echo 'rp = '.realpath('index.html');
?>

Raven · Posted: Sun Sep 12, 2004 11:26 am

As an addendum to the above post, you can also code for specific user(s) and/or group(s). Suppose you only wanted usernames Bob and Alice to have access. You would code that like

Code:

<Files admin.php>
<Limit GET POST PUT>
require user Bob Alice
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>

And likewise, you could have a group named 'admins' and you cold code that as

Code:

<Files admin.php>
<Limit GET POST PUT>
require group admins
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>

irandoct · Hangin' Around Joined: Dec 01, 2003 Posts: 39

Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :

Code:

<Files .kimia>
deny from all
</Files><Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>

and also my .kimia content is :

Code:

admin:11OociDP8zsBQ

my test password is : 321 and salt value is : 11
What's wrong?
Regards

Raven · Posted: Tue Nov 16, 2004 2:06 pm

Try

Code:

<Files .kimia>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>

RTS-Bone · New Member Joined: Jun 20, 2004 Posts: 9

I have read everything you said, I have done everything you told me to I tried this last thing : Result : DOESN`T work Sad

ARGHHHHHHHHHHHHH

I`ve spent this whole christmas day trying to figure out how to do this and I couldn`t !

I`m using PHP-Nuke7.5 ... after I do everything, it asks me for password & username, and then it keeps asking me... until an error occurs... Bang Head

Raven · Posted: Sat Dec 25, 2004 10:12 pm

irandoct wrote:

Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :

Code:

<Files .kimia>
deny from all
</Files><Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>

and also my .kimia content is :

Code:

admin:11OociDP8zsBQ

my test password is : 321 and salt value is : 11
What's wrong?
Regards

This is only a guess, but try breaking up
</Files><Files admin.php> into
</Files>
<Files admin.php>

RTS-Bone · New Member Joined: Jun 20, 2004 Posts: 9

Thanks, but I tried both...

Only registered users can see links on this board!
Get registered or login to the forums!

djdiz-e · Posted: Sun Dec 26, 2004 2:10 pm

i have alittle problem.
i have subdomain's running PHP-Nuke and the subdomains are sub directorys in the public_html folder and when i setup CGIAuth when the subdomain ower trys to access there admin.php it pops up and asks them to authenticate ..they dont have sentinal installed so is there anyway i can stop this from happening?

right now im just using HTTPAuth that seems to work fine but id like to use CGIAuth if possible

and is there a difference in security between HTTPAuth and CGIAuth?
witch is better?

Raven · Posted: Sun Dec 26, 2004 2:20 pm

You would need to put another .htaccess file in the subdomain folder that turns Authenticate off.

djdiz-e · Posted: Sun Dec 26, 2004 2:29 pm

so what would i put in that file?

Quote:

AuthAuthoritative Off

thanks for the help raven Smile

i love NukeSentinel(tm)
its the best thing i ever added to my php-nuke site
RavensScripts

Raven · Posted: Sun Dec 26, 2004 2:43 pm

I think you want AuthType None

SV_JJSKID · New Member Joined: Sep 06, 2004 Posts: 11

Hi All,

Hope everyone had fun over the holidays.

I have a couple of quick questions about 7.5...

I used the patched version from this site, got it installed and running. Applied the latest set of patchs to it.
I installed Sentinel uni 2.1.3 and got that running too.

The simple question:
What other security add-ons can and should I be running on 7.5? What are others using?

The more involved question:
I used the .htacces and .mysecretfile method that was described in this post for HTTP Authentication and it works good. My question is does that make the option in Sentinel for .staccess pointless or do I need to use the .staccess too? Is it the same thing or...? I'm confrused

Thanks

Raven · Posted: Sun Jan 02, 2005 8:11 pm

You only need NukeSentinel, seriously. You can use either HTTPAuth or CGIAuth, or both, although that would be rather cumbersome.

Chip · New Member Joined: Jan 02, 2005 Posts: 9

I don't seem to have the option for HTTPAuth and CGIAuth isn't Auth'ing. If I could get either working, I'd be greatful. I have Sentinel 2.1.3a and PHPNuke 7.6. .htaccess is

Code:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
#<Files .staccess>
#deny from all
#</Files>

#<Files admin.php>
#<Limit GET POST PUT>
#require valid-user
#</Limit>
#AuthName "Restricted by NukeSentinel(tm)"
#AuthType Basic
#AuthUserFile .staccess
#</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName

Only registered users can see links on this board!
Get registered or login to the forums!

AuthUserFile /home/clanbe01/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/clanbe01/public_html/_vti_pvt/service.grp

<Files 403.shtml>
order allow,deny
allow from all
</Files>

RedirectMatch temp ^/index.html$ http://www.clanbeowulf.org/index.php

deny from 195
deny from 219
deny from 200
deny from 213
deny from 193
deny from 12.42.86.122
deny from 202
deny from 203
deny from 80
deny from 69.56.145.164
deny from 67.19.107.242
deny from 69.93.213.58
deny from 64.94.116.60

Yes, I uncomment the CGIAuth section when I want to try it.
.staccess is being written to. Popups just never authenticate.
So if I can get them to authenticate or use HTTPAuth, I'm in biz.

Chip · New Member Joined: Jan 02, 2005 Posts: 9

I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth?

SV_JJSKID · New Member Joined: Sep 06, 2004 Posts: 11

Cool it all works thanks Raven!

Chips: Check out the Admin Auth List on your Sentinel admin menu. You might have to build the file. But get your answer from the experts to be sure.

Anders · Posted: Mon Jan 03, 2005 4:01 am

Hi!
have really prob whit this!!
when i activate....... Save this in /usr/home/web/nuki/.htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /usr/home/web/nuki/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

and when i have done that so cant i access to my site
.........and chmode have i done 2...is there any more i need to do???

Raven · Posted: Mon Jan 03, 2005 5:16 am

Chip wrote:

I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth?

If PHP is not compiled as an Apache module, you have to use CGIAuth. NukeSentinel does a check and will not make it available since you can't use it anyway.

Raven · Posted: Mon Jan 03, 2005 5:17 am

Anders,

Have you encrypted your password and placed it in .staccess?

Anders · Posted: Mon Jan 03, 2005 6:38 am

hi raven
nope have not done that....
how do i encrypt my pw?

Raven · Posted: Mon Jan 03, 2005 6:49 am

I believe this is in the documentation, but regardless, see this post Smile

Only registered users can see links on this board!
Get registered or login to the forums!

Muffin · Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Well I've tried both http auth and cgiauth in Sentinel and I can't get either to work, and now the basic http auth I did have working before I disabled it to use the one in Sentinel isn't working either

I'm really fed up trying now *sob*

I've checked the pop up issue in the browser and my site's in the allowed popup list so it's not that stopping it working.

Raven · Posted: Thu Feb 03, 2005 9:09 am

PM me your
site url, adminid/pass
ftp url, id/pass
phpMyAdmin url, id/pass

Muffin · Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Just pm'd them to you Raven.

Thank you.

Muffin · Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Any luck with my httpauth problems Raven?