Stanford University School of Earth Science
 
Home
News
New Users
Policies
Email
Network File Server
Web Hosting
    Personal Setup
   Email Form
   Other Resources
Get Help
Net Connections
Macintosh
Windows PC
Unix/Linux System
Pangea Server
School Resources
Using Unix

Limit access by requiring a password

Last revision July 20, 2004

To limit access to specific people, you can make personal "web accounts" for them that have a user name and password. You create these user names and passwords and they apply only to your restricted web pages. When anyone tries to look at these restricted pages, the web browser will ask him for a user name and password, which must match one of the accounts you will create (below). This is one of the few cases where a group of people are allowed to share a single user name and password, since they are only used for this one specific purpose.

Start by using your favorite text editor to make the file .htaccess containing the lines shown here, but substituting values that are appropriate to your case wherever you see italicized keywords.

AuthUserFile mypasswdfile
AuthName authorizationgroup
AuthType Basic
Require valid-user

The AuthUserFile directive specifies the location of the file containing the web account user names and passwords. You can use any filename and put it in any directory, but it makes sense to put it in the same directory that you are trying to control. You must give the complete Unix directory path to this file. You cannot use the "tilde" shortcut (for example, ~username). You then use the htpasswd program on pangea to create this file of user names and passwords The AuthName directive gives a short reference name of your choosing that stands for this group of restricted files.

For example, the pangea user with the account name "joe" wants to put some html files in his personal web directory and protect them with a password. His personal web directory is the subdirectory WWW in his home directory. He is in the Geological and Environmental Sciences department, so the full Unix directory path of this directory on pangea is /home/ges/joe/WWW. The web URL for this directory is simply http://pangea.stanford.edu/~joe. Joe makes a sub-directory within WWW to store his password protected files, and calls that personal. It's complete Unix path is /home/ges/joe/WWW/personal, and its URL is http://pangea.stanford.edu/~joe/personal/. Within that personal directory, Joe makes the .htaccess file in the form shown above. He decides to call the file of account names and passwords passfile. So his AuthUserFile line looks like:

AuthUserFile /home/ges/joe/WWW/personal/passfile

The file specified with the AuthUserFile directive contains usernames and encrypted passwords. It must have world read access for the web server; the fact that the passwords are encrypted prevents folks from just looking at the file to get them. You use the htpasswd program to make this file and set the user account names and passwords. To initially make the file, you use the -c option followed by the authorization file name and the first account name.

For example, Joe called his authorization file passfile in his WWW/personal subdirectory. To initially make this file with the first account named "guest", he changes to the right directory and runs the htpasswd command as follows:

cd WWW/personal
htpasswd -c passfile guest

The htpasswd program then prompts him to enter a password for the account "guest". This password will be encrypted and the file passfile will be created with one line that looks something like this:

guest:TmpqN0MF2.u6k

To add the next account, Joe runs the command again, but without the -c option, for example,

htpasswd passfile george

and replies to the prompt for the password for the "george" account. Now the authorization file, passfile, will have two lines that look something like:

guest:TmpqN0MF2.u6k
george:89MqsBCKRav.6

Just keep going with the htpasswd command to add more user names and passwords.

Later, if you want to remove a username and password, simply edit your authorization file and delete the line containing that username.

It is also possible to create the AuthUserFile file using existing pangea account user names and passwords. Contact the system manager if you want to do that (there is no automatic program, but it can be done by some simple editing of a copy of pangea's main password file).

The AuthName directive gives a short reference name that stands for this group of restricted files. This name is used by web browsers to keep track of which usernames and passwords apply to which files. You can use any name you like, but it is helpful if it is somewhat descriptive. Also, either use a single word, or if you use more than one word, enclose the phrase in quotes marks ("). For example, user Joe decides to give his group of protected files the name mystuff, so his .htaccess file has the line

AuthName mystuff

 


Comments?

Stanford University    |