HTTP Authentication Using PHP CGI and Apache

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

- Forgot about it. I'll look in a bit.

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

lol ok Raven thank you

Posted: Tue Feb 08, 2005 1:46 pm

I'm just posting this for reference. You will have to substitute the paths for your own paths to Apache/bin and where you want the password file located.
Windows/Apache users how to create passwords.
Try this open a command prompt
Type in:
cd /d d:/appserv/Apache/bin
Note* /d tells there is a drive change if you are on only the c: drive omit the /d in this command.
Hit <Enter>
Then type
htpasswd -b d:/appserv/www/phpnuke/.staccess username password
Hit <Enter>

This will create the .staccess file with the username and password you entered.

Then in your htaccess file make sure your slashes in the path are this / not \

Tkalex mentions use the -c flag to create the .staccess file from the command line if it doesn't exist where you want it.
htpasswd -b -c d:/appserv/www/phpnuke/.staccess username password
Note* Its been mentioned before but you can put this .staccess file above the web root and should to prevent access to it or make it hidden at the very least.

Posted: Mon Feb 14, 2005 7:24 pm

Hangin' Around Joined: May 12, 2005 Posts: 37

Hi Raven,

thanks for offering support here!

I have just installed NukeSentinel_710_220pl4 on my phpnuke 7.5 with 2.9 patched (I believe that's how you say it). I ran the install and all went well.

I've tried for the past 4 hours to access my site. I can't get in. After assuring that the tables were there, I set the http_auth to 0 and still could not get into my site (this was in the manuals FAQ).

I've read this the entire manual twice and the post here 4 times very slowly and read all the replies and I don't understand a few things still.

1. does salt refer to the name of a file after the . ?

2. does the .staccess file replace the above mentioned secretfile (do i use staccess instead of creating one?)

3 While I realize that you did explain how to encryt a password, I don't understand some of the terms you used and don't know how to do this. Can I use one of those encoder programs some sites have installed for us to use?

4. I understand that we are supposed to put username:password in the file...but i have questions:

a. do I have the right idea here?

Code:

<form method='post'> 


Enter password to be encrypted using crypt(myname:encrytptedpass): <input name='pw'><br /><br /> 


Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br /> 


<input type='submit' name='submit' value='Encrypt'><br /><br /> 


<? 


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) { 


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>"; 


} 


?>

and

b. do i simply take the file one my information is entered, put it in the staccess file, upload, chmod, and remove the word sample from in front of it?

finnally, do i have to use an encrypted password when logging in? I have no knowledge of encryption. I'm sorry.

I first thought that I was just supposed to put my regular password there instead of username:encryptedpass but i tried that and it didn't work either.

I really spent a lot of time trying to do this myself. I am afraid to ruin my site if I keep guessing at this. And I appreciate your time in reading this post.

Sabastina

Posted: Thu May 12, 2005 12:19 pm

Before setting up .htaccess/.staccess protection, let's get your site working. First of all, comment out the lines you added to your mainfile.php file. Can you now access your site? Is it just the admin login that you are having problems with?

Posted: Thu May 12, 2005 6:12 pm

Thank you for your time and help.
I still can not gain admin access in the main nuke area. Ironically, I am able to get into the admin for the forums, and to perform any task there!
I am able to log in and use the site as a user with no problems. In fact, I use CZusers info block and when I log into my user name, the admin image shows up in the who's online list.

I had previously attempted to set the access's and have both files on my server. I tried to find them to delete them off but can't find them. I use ftp for this.
Also just before installing sentinel, I had added the CNB Your account 750 440 mod to my site. This was the only mod I installed that required file changes. I'm not sure if you need to know that.

Posted: Thu May 12, 2005 6:59 pm

Your ftp client usually does not display hidden files (files that begin with .). You need to tell it to display those files. It's referred to as remote file mask. Find where that setting is and set it to "-a". Then the .htaccess and .staccess should appear. Rename them to .htaccessx and .staccessx and see if you can then access admin.

Posted: Thu May 12, 2005 7:27 pm

YES!!!

It worked!!!

Thank you SOOO much!

not to be a pest, but can you tell my WHY that worked for me?

Regards,

Sabastina

Posted: Thu May 12, 2005 7:44 pm

I will assume that you renamed sample.htaccess to .htaccess w/o understanding the implecations and exactly how to set it up Wink

sample.htaccess and sample.staccess must not be renamed until you have gone through the installation process, assigned all admins, protected them, and assigned/set NukeSentinel(TM) admin passwords. Then, you do NOT need them to use HTTPAuthorization if you are running PHP as an Apache Module, but you CAN use them for an extra layer of security.

When you rename sample.htaccess to .htaccess, this code is in .htaccess

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) admin.php Auth


# -------------------------------------------


<Files .staccess>


  deny from all


</Files>





<Files admin.php>


   <Limit GET POST PUT>


      require valid-user


   </Limit>


   AuthName "Restricted"


   AuthType Basic


   AuthUserFile /path/to/your/.staccess


</Files>

Now, .htaccess expects a userid:encrypted_password in the file .staccess. This line

Code:

AuthUserFile /path/to/your/.staccess

must be replaced with the actual path to YOUR .staccess. Bottom line, you don't rename sample.htaccess until you are setup to do so. Since you probably did not have a valid .staccess file nor a valid path to .staccess, the login could never get resolved. Hope that helps and doesn't confuse you too much.

Posted: Thu May 12, 2005 10:15 pm

Yes, it does.

Thanks.

Though I think I understand how to do this sort of access now, I'm running on php so, I think it's best if I wait until I have more experience to try using this added security.

Thanks again.

Sabastina

Posted: Thu May 12, 2005 10:32 pm

Quote:

Though I think I understand how to do this sort of access now, I'm running on php so, I think it's best if I wait until I have more experience to try using this added security.

We all are running on PHP. Apache is the web server software. PHP is the scripting language that sends commands to Apache to feed the web browser.

New Member Joined: May 21, 2005 Posts: 2

hi @raven thanks for helping really hard to find helping man:)
maybe my try 1 week after i said sit:) and never maind thanks because i find you any way i hope u will kelp me:)

.HTACCESS

Code:

# -------------------------------------------


# Start of NukeSentinel(tm) admin.php Auth


# -------------------------------------------


<Files .staccess>


  deny from all


</Files>





<Files admin.php>


   <Limit GET POST PUT>


      require valid-user


   </Limit>


   AuthName "TurkFtp admin panel Siktir Git ibne"


   AuthType Basic


   AuthUserFile /var/www/html/anasayfa3/.staccess


</Files>





# -------------------------------------------


# Start of NukeSentinel(tm) DENY FROM area


# -------------------------------------------

.stacces

Code:

<? 


<form method='post'> 


Enter password to be encrypted using crypt(EX:EX): <input name='pw'><br /><br /> 


Enter the 'salt' value for the encryption (8 long): <input name='salt' maxlength='16'><br /><br /> 


<input type='submit' name='submit' value='Encrypt'><br /><br /> 


<? 


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) { 


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>"; 


} 


?>

what is wrong man??????
any way thanks for help:)

Posted: Sat May 21, 2005 6:33 am

That code that you show for .staccess is not the code that goes in there. That is a script that you need to save as a file and then ftp it to your server. It will allow you to enter a password in plain text and then it will encode it using the crypt() function. It will produce a line of text like userid:encoded_password. You then place userid:encoded_password in the .staccess file. For instance, let's say your userid is sekoras and you want to use a password of ravenscripts. Running it through the script using a salt value of SK (The salt value can be any 2 character code you want) will produce this

Code:

Password ravenscripts translated is SKaO7Wem4oeco

So in .staccess you would simply have the line

Code:

sekoras:SKaO7Wem4oeco

BTW, the script above cannot have that beginning <? tag. It should only read

Code:

<form method='post'>


Enter password to be encrypted using crypt(EX:EX): <input name='pw'><br /><br />


Enter the 'salt' value for the encryption (8 long): <input name='salt' maxlength='16'><br /><br />


<input type='submit' name='submit' value='Encrypt'><br /><br />


<?


if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {


   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";


}


?>

Posted: Sat May 21, 2005 11:57 am

im sorry im like idot i cant get it but thanks alot sir for answer rally:)thanks thanks thanks:)

Hangin' Around Joined: Jul 18, 2005 Posts: 33

i am having a bit of a misunderstanding here, it's the first time i am trying to use the Admin Auth settings included in sentinel 2.3.2. I have set an admin password in the admin auth list, i have clicked on Build CGIAuth file, the file is created, i have added both my .htaccess Path and .staccess Path, Admin Auth is selected to Admin CGIAuth.. everything seems to be perfectly configured.... now am i suppose to get a Login box when i try to access my admin.php file this way or do i have to login to the normal admin.php page inside the website??? sorry i just dont get it..

when i logout and try to access my admin.php file again, i have the same old Administration menu in front of me and no popup login box... from the Admin Auth: selection menu i have option Off and option Admin CGIAuth, of course it's selected to Admin CGIAuth.

cheers.

Posted: Mon Jul 18, 2005 11:20 pm

btw, i dont know if this is a bug, but, i added to my .htaccess the following:

<Files admin.php>
<Limit GET POST PUT>
require user test
</Limit>
AuthName "www.mysite.com"
AuthType Basic
AuthUserFile /HOME_PATH/.staccess
</Files>

when i try to access my site, i get the HTTP Auth popup box, i enter my user name and password, both my admin.php user/pass are the same as my .staccess user/pass, nothing happens... after 3 times, i am redirected to my 401 page, now... if i click the Back button AND then the Foward button, i am able to see my orignal admin.php administration menu... odd!.

i need help!
cheers Smile

Posted: Mon Jul 18, 2005 11:34 pm

sorry, another post.

Why does my Admin Auth password is on the database in clear text, not encrypted??

Posted: Tue Jul 19, 2005 1:08 am

boar wrote:

btw, i dont know if this is a bug, but, i added to my .htaccess the following:

<Files admin.php>
<Limit GET POST PUT>
require user test
</Limit>
AuthName "www.mysite.com"
AuthType Basic
AuthUserFile /HOME_PATH/.staccess
</Files>

when i try to access my site, i get the HTTP Auth popup box, i enter my user name and password, both my admin.php user/pass are the same as my .staccess user/pass, nothing happens... after 3 times, i am redirected to my 401 page, now... if i click the Back button AND then the Foward button, i am able to see my orignal admin.php administration menu... odd!.

i need help!
cheers Smile

Did you remember to encrypt your password in .staccess?

Posted: Tue Jul 19, 2005 1:13 am

yes, it's the same and both places where my password is located are encrypted, except one place, in sentinel tables.. nuke_admin and staccess are encrypted.

Posted: Tue Jul 19, 2005 8:52 am

Raven you didn't liked the BUG part did you? lol
it's not a bug, i am just misconfiguring the settings..

Posted: Wed Jul 20, 2005 2:54 am

i think i will code HTTP Auth inside the admin.php so each time i try to access it, i will get the HTTP Auth and upon successfull login, i will be redirected to the Admin area. what do you think raven? right now i am beeing redirected to admin.php and i need to login again.

Posted: Wed Jul 20, 2005 3:03 am

There are basically 2 different ways of activating and using Browser authentication with NukeSentinel. If you use the .htaccess and .staccess method, it is independent of NukeSentinel configuration. You do not need to use .htaccess and .staccess at all unless your PHP is compiles as a CGI library. Try creating an empty .htaccess file and then just selecting HTTP Auth in your NukeSentinel Administration panel. You will first need to set up all admin passwords via Admin Auth in NukeSentinel Administration panel.

Posted: Thu Jul 21, 2005 10:54 am

yeah my PHP was compiled with CGI. so i guess i'll have to enter 2 usernames and 2 passwords all the time, which i dont really mind because it just adds up more security to my admin area, i have 2 different usernames and passwords so it's all good.

i wonder why the admin passwords vie Admin Auth in NukeSentinel Admin panel are not being encrypted in the database though, like other passwords..

cheers

Regular Joined: Jun 23, 2005 Posts: 61

Raven , i have read the above ,,tried the above and after just under 1 hr i have now it working Smile

In the documentation you mentioned about cmodding files.what files would i want to cmod to make it more secure ,,and what should i cmod them to.

atm my .htaccess file is 644 ,and my "secretpasswordfile" is 644 as well

(do i need to change these , to just 444) ? , or leave as they are

Thnaks for the good work