And yet another .htaccess problem

New Member Joined: Jan 26, 2005 Posts: 16

I have read the posts and followed directions, but somehow I have missed some piece in the puzzle. I have set up the .htaccess and .staccess files. The password is encrypted in .staccess. I have checked the real path for .staccess and it appears to be correct. I have the admins set up, with my password (an I am the only one besides GOD).

So, when I try to turn on HTTPAuth (I am running Apache 1.3.33(Darwin) on Mac 10.3.9), I go to the Sentinel Administration, check the paths for .htaccess and note that the path to .staccess is blank. I select HTTPAuth and go to the bottom of the page to "Save Changes". That is when I know I am in trouble, because when I hit "Save Changes", down comes the box asking for authentication, and it won't accept my password. After that, nothing can be done to undo the repeating requests for authentication except to go to phpmyadmin and clear the HTTPAuth flag.

Any suggestions?

Sells PC To Pay For Divorce Joined: Posts: 5661

but did you set the pass etc... at admin.php?op=ABAuthList ?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

HTTPAuth does not use .staccess. Rename or delete .staccess. Rename the .htaccess from NukeSentinel. Assign your passwords via the NukeSentinel Auth Admin menu item. Then select HTTPAuth.

Posted: Thu Aug 04, 2005 11:25 am

Hi,

Thank you for taking the time to reply. Unfortunately, no luck yet.

Hitwalker: Yes, I believe that I have set the password at admin.php?op=ABAuthList. When I go there, it shows my username and the (protected) password that I am using. It is the only username shown.

Raven: I had pre-empted the normal use of .staccess and had used it to store my username and the encrypted password in the format username:encryptioncode. But to be sure, I have now changed .staccess to .staccessx and also changed the reference to the "secret file" in .htaccess. My .htaccess looks like:

PHP_FLAG output_buffering on

Options All -Indexes
DirectoryIndex index.php index.htm index.html

#-------
# Start of NukeSentinel (tm) admin.php Auth
#-------
<Files .staccessx>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /users/masong/sites/watercooler/html/.staccessx
</Files>

But, that doesn't change what happens. I then select HTTPAuth, go to "Save Changes" and down comes the authentication panel asking for a password. The password is rejected...and down comes the authentication panel ad infinitum.

I have changed the "Salt" entry to match the one used in generating the encryption, so I don't think that is the problem.

I am still missing something. Any more suggestions?

Thanks!

Posted: Thu Aug 04, 2005 11:39 am

Get rid of this

Code:

<Files admin.php>


<Limit GET POST PUT>


require valid-user


</Limit>


AuthName "Restricted"


AuthType Basic


AuthUserFile /users/masong/sites/watercooler/html/.staccessx


</Files>

Posted: Thu Aug 04, 2005 12:29 pm

Hi,

I removed the code...but it makes no difference. Same behavior.

Posted: Thu Aug 04, 2005 1:02 pm

Use phpMyAdmin and edit the nsnst_config table. Set http_auth to 1.

Posted: Thu Aug 04, 2005 1:33 pm

Hi,

If I set http_auth to 1 with phpMyAdmin, I am locked out of the admin module by the recurring, unsatisfied authentication panel. If I set http_auth back to 0, the problem vanishes.

Posted: Thu Aug 04, 2005 3:34 pm

why do i get the feeling your not recoqnized as god admin ?

Posted: Thu Aug 04, 2005 4:23 pm

Hitwalker:

In the nuke_authors list my username is listed under "aid" and identified with "name"=God. There is also a long pwd=...

In nuke_nsnst_admins my username is again listed under "aid", and also under "login". There is no mention of God. There is an encoded password_md5 that is the same as the pwd in nuke_authors. However, there is a password_crypt given in nuke_nsnst_admins that is NOT the encrypted password that came out of crypt() for my salt value and that appears in my .staccessx file. Unfortunately, using phpMyAdmin to put the .staccessx password into password_crypt in nuke_nsnst_admins does not solve the problem when HTTPAuth is set to 1. I still am locked out in the same way.

But, the password discrepancy might be a clue.

Thanks.

Posted: Thu Aug 04, 2005 4:31 pm

well at this point it can be almost anything..
i suggest you contact raven and give him any needed login so he can have a look...
this goes beyond my knowledge of sentinel...
and you would like to continue on your site dont you?
This taken to long...
so as i said...pm raven and solve it..

Posted: Fri Aug 05, 2005 1:52 pm

Hi,

I picked up the following sentence from Raven's sticky post on .htaccess at the top of this page: "Please note that you cannot use both HTTP Auth in NukeSentinel(tm) and .htaccess HTTP Auth. It will give the browser a migraine."

I don't understand the difference between these two. Perhaps that is the cause of my problem.
I understood that I should create a .htaccess file into which I put a faithful reproduction of the code in the sticky post with suitable editing to define paths and a "secret file" for my situation. Then, I thought, I was to set HTTPAuth=1 to turn on this additional level of security. Am I confusing two different things?

Thanks.

Posted: Fri Aug 05, 2005 1:56 pm

yeah more or less,just use the HTTPAuth,so that means only 1 path has to filled in into admin area.

Posted: Fri Aug 05, 2005 4:58 pm

If you use HTTPAuth from NukeSentinel, then remove these lines from .htaccess

Code:

<Files admin.php>


<Limit GET POST PUT>


require valid-user


</Limit>


AuthName "Restricted"


AuthType Basic


AuthUserFile /users/masong/sites/watercooler/html/.staccessx


</Files>

and don't fill in the .staccess path.

Posted: Fri Aug 05, 2005 8:43 pm

Raven:

I removed those lines of code according to your instruction several posts ago. It made no difference and I left them out. I am still locked out as long as HTTPAuth is set to 1.

I still don't understand why those lines of code are included in .htaccess in your sticky post if they are not supposed to be there. Perhaps that misunderstanding is at the root of my problem. Can you shed a little more light on the subject?

Thanks!

Posted: Fri Aug 05, 2005 8:56 pm

They are there in the event you have php compiled as a CGI instead of an Apache module, in which case you must use both .htaccess and .staccess.

Posted: Sat Aug 06, 2005 1:19 pm

hi,

And how does one determine whether php was compiled as a CGI instead of an Apache module? PHP comes in binary as part of Mac OS 10.3.9. Does anyone out there know how it was compiled?

It does appear that we are assuming that it was compiled as an Apache Module since putting that code in or out of .htaccess doesn't make a difference. But, if the code is out, how does Sentinel know where to look for the encrypted password? All that is left in .htaccess is code to keep prying eyes out of the "secret password file." When I type in my password into the authentication box, what does Sentinel do with it? With what is it comparing the password in order to establish authentication? What should be in the "Salt" field in Nuke Sentinel's admin page? I put in the value I used in crypt(), but now it appears that encryption has nothing to do with what Sentinel is doing? Is that where I went wrong?

Posted: Sat Aug 06, 2005 1:37 pm

php or cgi ?

Create a new text file and put this in:

Code:




<?php


phpinfo();


?>

save it phpinfo.php and upload it to your site.
The 4th colum should say :Server API Apache

Posted: Sat Aug 06, 2005 2:35 pm

masong wrote:

hi,

And how does one determine whether php was compiled as a CGI instead of an Apache module? PHP comes in binary as part of Mac OS 10.3.9. Does anyone out there know how it was compiled?

It does appear that we are assuming that it was compiled as an Apache Module since putting that code in or out of .htaccess doesn't make a difference. But, if the code is out, how does Sentinel know where to look for the encrypted password? All that is left in .htaccess is code to keep prying eyes out of the "secret password file." When I type in my password into the authentication box, what does Sentinel do with it? With what is it comparing the password in order to establish authentication? What should be in the "Salt" field in Nuke Sentinel's admin page? I put in the value I used in crypt(), but now it appears that encryption has nothing to do with what Sentinel is doing? Is that where I went wrong?

If HTTPAuth shows up in NukeSentinel admin then it's Apache.

Posted: Mon Aug 08, 2005 10:52 am

Hi,

OK, it's Apache. phpinfo() indicates that the Server API is Apache and HTTPAuth appears in NukeSentinel admin as an option on the pull-down menu.

So, given that, with HTTPAuth = 1, what does Sentinel do with the password that is typed in to establish authentication? Does it encrypt and compare? With what does it compare the password? Whatever it is doing, it is not getting a match and I am perpetually locked out.

Posted: Thu Aug 18, 2005 11:26 am

Hi,

Still locked out when I try to implement NukeSentinel password access to admin. Here is my current .htaccess file:

PHP_FLAG output_buffering on

Options All -Indexes
DirectoryIndex index.php index.htm index.html

#-------
# Start of NukeSentinel (tm) admin.php Auth
#-------
#<Files wcusers>
# deny from all
#</Files>

Here is what I have done with it (according to some earlier instructions): "Use the blank .htaccess file you have and chmod the permissions to 666. Next, go into Auth Admin in NukeSentinel and assign all your admins an id and password [there is only one, myself]. Next, go back to NukeSentinel Administration and in the .htaccess path setting, type .htaccess. Leave .staccess path blank. Now, select HTTP Auth from the drop down box. Save the settings." According to the instructions, I should now be protected with HTTP Auth protection, BUT I am then unable to login myself. I get a recurring dropdown panel asking for a password that never matches. Indeed, the panel drops down when I first try to save the changes made in the NukeSentinel Administration page.

So, I ask again. What is Sentinel doing with the password that causes it to fail to establish authentication?

Posted: Thu Aug 18, 2005 12:11 pm

Your assumption that Sentinel is doing anything can be a false premise to proceed from. When you type your user/pass combination in the browser HTTP Auth window, NukeSentinel takes your id/pass from the NukeSentinel Admin Auth screen. It them md5()'s your NukeSentinel password and compares it with the browser HTTP Auth window's md5() password. You might want to google for HTTP Authentication and get an understanding of what that is.

Posted: Tue Aug 30, 2005 9:06 am

I was successful yesterday installing Nuke Sentinel and I've spent hours reading threads about htaccess and httpauth. First, thank you for the product and all the support. I just want to confirm my understanding on this issue, which it appears might help others. And maybe suggest that the installation instructions be clarified eventually so that people who don't need .staccess and the password encryption program because they can use Httpauth don't wind up spending hours on it.

What I get from these threads as well as my own installation is that if you are running on the server as an Apache mod, your Sentinel will show the option to use Admin HTTPAuth under the administrative options. So choose that and you won't have to fool too much with .htaccess or use .staccess at all. However, before enabling HTTPAuth, you should first set up your admins in the "admin auth" list and give them each a password so that they show as "protected" there. With those two steps in place, when they do anything that would normally access admin.php they will get an extra login screen (though the browser apparently will save that in a password list and sign you on automatically after the first time (Firefox at least)).

Having said that, my reading is that you still want a .htaccess file in your Nuke root directory to store banned IP addresses. Right? And I'd think you would want to put the directory index stuff at the top as in your sample file:

Options All -Indexes
DirectoryIndex index.php index.htm index.html

Is there anything else that should be there? Perhaps if this is a correct interpretation the instructions should just say to go to the admin screen and see if the HTTP Auth option is there and then maybe there should be a "sampleapache_mod_htaccess file that's different from the current sample and people should upload that to their Nuke root. Just a suggestion that might eliminate a lot of questions.

Posted: Tue Aug 30, 2005 10:24 am

Hi fkelly,

Having spent some of those hours you refer to, I want to add an "amen" to your note.

But, having come to the same conclusions that you have, the HTTPAuth option in NukeSentinel still does not work on my system. I think it must be some unholy and unknown combination of the versions I use of phpNuke, Apache, operating system (Mac OS 10.3.9), NukeSentinel, browser (Safari), phpBB, and several ad-hoc security patches. Whatever, it doesn't work for me.

PHPNuke security is a nightmare. And once you get some combination of all these versions of pieces working together, more or less, you don't dare (or can't figure out how to) upgrade them piecemeal for fear of knocking down the whole house of cards.

I am grateful for help that I have received on this site and for those who do their "darndest' to help the rest of us through this maze.

Posted: Tue Aug 30, 2005 12:39 pm

masong, please PM to me the following information if you'd like me to try to fix your HTTPAuth issues.

Site URL, god adminid/pass
FTP URL, id/pass
MySQL URL, id/pass

Be sure to state in the PM what the problem is.