Forum

Hi

We are facing some problem in access control in webserver. We have followed following steps

1. Created a password file
htpasswd -c -d /usr/local/var/www/sample/.passwords test
2. Changes in the httpd.conf
PasswordFile = basic:/usr/local/var/www/.passwords
3. The complete entry in httpd.conf file is

VirtualHost{
        Hostname = 10.112.75.59
        WebsiteRoot = /usr/local/var/www/sample
        AccessLogfile = /usr/local/var/log/sample/access.log
        ErrorLogfile = /usr/local/var/log/sample/error.log
        StartFile = index1.html
        AccessList = allow 10.112.78.86 ,  deny all
        PasswordFile = basic:/usr/local/var/www/.passwords
}

The page is still not asking for authentication and opening up without problem.

Can you please let me know where i am making mistake.

Thanks in advance !!

Is it true you are accessing the webserver from 10.112.78.86? If so, it's true no password is asked because of the 'allow' statement. If you want Hiawatha to ask for a password, you must use 'pwd' instead. Check the manual page for more information.

Hi Hugo

Thanks for the reply.
I have modified the entries in the httpd.conf

VirtualHost{
    Hostname = 10.112.75.59
    WebsiteRoot = /usr/local/var/www/sample
    AccessLogfile = /usr/local/var/log/sample/access.log
    ErrorLogfile = /usr/local/var/log/sample/error.log
    StartFile = index1.html
    PasswordFile = basic:/usr/local/var/www/.passwords
}

and now it asks for a password for every ping at the server but its not accepting the password that i have given.
The contents of the password file are test1:WfuGoz0xXqCzA i.e username: test and password: test but it doesn accept the password.
Please help

What version of Hiawatha are you using? Is the .passwords file readably by Hiawatha (the file itself and all the directories to it). What does the errorlogfile say?

Hi Hugo

Thanks for reply

I am using hiawatha v6.11

Hi Hugo

There is no error in error logs

Thanks

You have noticed that the username in your passwordfile is not 'test', but 'test1'?

Hi Hugo
I am sending you the complete entry in my httpd.conf file and the password file so that its easy for you to figure out the fault

HTTPD.CONF

# GENERAL SETTINGS
#
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /usr/local/var/log/hiawatha/system.log
GarbageLogfile = /usr/local/var/log/hiawatha/garbage.log

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
# Interface = 127.0.0.1
# MaxKeepAlive = 30
# TimeForRequest = 3,20
}



# GENERAL SETTINGS
#
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /usr/local/var/log/hiawatha/system.log
GarbageLogfile = /usr/local/var/log/hiawatha/garbage.log
CacheSize = 10

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
# Interface = 127.0.0.1
# MaxKeepAlive = 30
# TimeForRequest = 3,20
}


CGIextension = cgi

VirtualHost{
Hostname = 10.112.75.59
WebsiteRoot = /usr/local/var/www/sample
AccessLogfile = /usr/local/var/log/sample/access.log
ErrorLogfile = /usr/local/var/log/sample/error.log
StartFile = index1.html
PasswordFile = basic:/usr/local/var/www/.passwords
ExecuteCGI = yes
}

PASSWORD FILE
demo:HZMp0/8/GixBc (USERNAME:DEMO PASSWORD:DEMO)

GENERATED BY FOLLOWING COMMAND: htpasswd -c -d /usr/local/var/www/.passwords demo

But when i enter username and password as demo it doesn't accept.

Please help !!!!!!

usename and password are not in uppercase
PASSWORD FILE
demo:HZMp0/8/GixBc (USERNAME:demo PASSWORD:demo)

Please ignore the repeat entry of
# GENERAL SETTINGS
#
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /usr/local/var/log/hiawatha/system.log
GarbageLogfile = /usr/local/var/log/hiawatha/garbage.log

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
Port = 80
# Interface = 127.0.0.1
# MaxKeepAlive = 30
# TimeForRequest = 3,20
}

Yesterday, I tested your test1:test passwordfile, and for me it worked fine. So there must be some other problem. I'm leaving for holiday in an hour, so I haven't got time to do some more testing. I'll help you when I get back. Sorry!

I will wait for your response as i have already documented whatever steps i have followed.
Please reply !!!

Can you confirm that the user the webserver is running under (user 'nobody' in your case) is able to read the password file?

this is my password file

demo:ZQ6dKLKw17UOc

generated by htpasswd -c -d /usr/local/var/www/.passwords demo

but still the server is not taking the username and password "demo"
please help

Again, can you confirm that the user the webserver is running under (probably user 'nobody' in your case) is able to read the password file?

Can you give some information about the OS you are using?

Thanks for the reply

OS i am using is: Linux Debian 2.6.26-1-686 # 1

but I have tested on Linux shangrila 2.4.20-8 #1 also its not working.
Is there some other setting which we have to make in case of nobody user.


Thanks

For the third time: can you confirm that the user the webserver is running under (probably user 'nobody' in your case) is able to read the password file?

Change to root, use 'su - nobody' (make sure it has a valid shell, use 'id' to verify you are user 'nobody' and try to read the password file via 'cat'. Can you read it or do you get an 'access denied' error?

Thanks Hugo

Its running fine now for basic authentication, The problem is with access permission for the file.

But its giving problem with digest authentication, I am generating the password file with the below command. and access permission for file is there.
htpasswd -c /usr/local/var/www/sample/pass.passwords testing

Thanks

The command you described can only be used for basic HTTP authentication. For digest HTTP authentication, you have to use the plain text password. So, for basic, you will have a password file that looks like this:

demo:ZQ6dKLKw17UOc

For digest, your password file has to look like this:

demo:demo

I know, plain text passwords doesn't sounds secure. But I didn't make the rules for the HTTP authentication schemas.