Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Wed Sep 08, 2004 10:31 am Reply with quote

HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. This code has been tested on both PHP type of installations, CGI and as an Apache Module.

This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccess
Code:
<Files RELATIVE_PATH_TO_ID_PASS_FILE>

  deny from all
</Files>

<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>

Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like this
Code:
/home/USERNAME/public_html/

So, let's assume that your secret file is named mysecretfile. I would make it hidden by naming it .mysecretfile. Now, the contents will be a username:password, like myusername:mysecretpass, except mysecretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile. The salt value can be whatever you like. Save this script as a .php file, like crypt.php
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
So, upon entering your password of 'mysecretpass' with a salt of 'Rv' (remember it can be anything you want), we get an encrypted value of 'RvXXrWfFcualM'. So, we now place myusername:RvXXrWfFcualM in the .mysecret file. Note that we have also protected snooping eyes from directly accessing .mysecretfile (RELATIVE_PATH_FILE) by adding a 'deny from all' directive in the .htaccess file (you could also chmod the permissions to restrict it). In this instance the path is relative to the location of .htaccess so you would just substitute .mysecretfile. So, translating based on the above, your .htaccess file will look like
Code:
<Files .mysecretfile>

  deny from all
</Files>

<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>

Now we upload .htaccess and .mysecretfile to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Please note that you cannot use both HTTP Auth in NukeSentinel™ and .htaccess HTTP Auth. It will give the browser a migraine Wink. You can also move the .mysecretfile to any location outside of the root. Just modify the AuthUserFile location. In that case you could also remove the 'deny from all' directive as it is outside of the web toot.

Also, here is a quick little diddy to find out your REALPATH. Save this to your root web/nuke folder to discover the path and then delete it!
Code:
<?

echo 'rp = '.realpath('index.html');
?>

RavensScripts
 
View user's profile Send private message
Raven
PostPosted: Sun Sep 12, 2004 11:26 am Reply with quote

As an addendum to the above post, you can also code for specific user(s) and/or group(s). Suppose you only wanted usernames Bob and Alice to have access. You would code that like
Code:
<Files admin.php> 

   <Limit GET POST PUT>
      require user Bob Alice
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>

And likewise, you could have a group named 'admins' and you cold code that as
Code:
<Files admin.php> 

   <Limit GET POST PUT>
      require group admins
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>
 
irandoct
Hangin' Around


Joined: Dec 01, 2003
Posts: 39

PostPosted: Tue Nov 16, 2004 1:57 pm Reply with quote

Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :
Code:
<Files .kimia>

  deny from all
</Files><Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>

and also my .kimia content is :
Code:
admin:11OociDP8zsBQ

my test password is : 321 and salt value is : 11
What's wrong?
Regards
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Tue Nov 16, 2004 2:06 pm Reply with quote

Try
Code:
<Files .kimia> 

  deny from all
</Files>
<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>
 
RTS-Bone
New Member
New Member


Joined: Jun 20, 2004
Posts: 9

PostPosted: Fri Dec 24, 2004 4:37 pm Reply with quote

I have read everything you said, I have done everything you told me to I tried this last thing : Result : DOESN`T work Sad ARGHHHHHHHHHHHHH

I`ve spent this whole christmas day trying to figure out how to do this and I couldn`t !

I`m using PHP-Nuke7.5 ... after I do everything, it asks me for password & username, and then it keeps asking me... until an error occurs... Bang Head
 
View user's profile Send private message
Raven
PostPosted: Sat Dec 25, 2004 10:12 pm Reply with quote

irandoct wrote:
Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :
Code:
<Files .kimia>

  deny from all
</Files><Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>

and also my .kimia content is :
Code:
admin:11OociDP8zsBQ

my test password is : 321 and salt value is : 11
What's wrong?
Regards
This is only a guess, but try breaking up
</Files><Files admin.php> into
</Files>
<Files admin.php>
 
RTS-Bone
PostPosted: Sun Dec 26, 2004 10:23 am Reply with quote

Thanks, but I tried both...
Only registered users can see links on this board! Get registered or login!
 
djdiz-e
Regular
Regular


Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada

PostPosted: Sun Dec 26, 2004 2:10 pm Reply with quote

i have alittle problem.
i have subdomain's running PHP-Nuke and the subdomains are sub directorys in the public_html folder and when i setup CGIAuth when the subdomain ower trys to access there admin.php it pops up and asks them to authenticate ..they dont have sentinal installed so is there anyway i can stop this from happening?

right now im just using HTTPAuth that seems to work fine but id like to use CGIAuth if possible

and is there a difference in security between HTTPAuth and CGIAuth?
witch is better?
 
View user's profile Send private message Send e-mail Visit poster's website
Raven
PostPosted: Sun Dec 26, 2004 2:20 pm Reply with quote

You would need to put another .htaccess file in the subdomain folder that turns Authenticate off.
 
djdiz-e
PostPosted: Sun Dec 26, 2004 2:29 pm Reply with quote

so what would i put in that file?

Quote:
AuthAuthoritative Off



thanks for the help raven Smile
i love NukeSentinel™
its the best thing i ever added to my php-nuke site
RavensScripts
 
Raven
PostPosted: Sun Dec 26, 2004 2:43 pm Reply with quote

I think you want AuthType None
 
SV_JJSKID
New Member
New Member


Joined: Sep 06, 2004
Posts: 11

PostPosted: Sun Jan 02, 2005 7:22 pm Reply with quote

Hi All,

Hope everyone had fun over the holidays.

I have a couple of quick questions about 7.5...

I used the patched version from this site, got it installed and running. Applied the latest set of patchs to it.
I installed Sentinel uni 2.1.3 and got that running too.

The simple question:
What other security add-ons can and should I be running on 7.5? What are others using?

The more involved question:
I used the .htacces and .mysecretfile method that was described in this post for HTTP Authentication and it works good. My question is does that make the option in Sentinel for .staccess pointless or do I need to use the .staccess too? Is it the same thing or...? I'm confrused

Thanks
 
View user's profile Send private message
Raven
PostPosted: Sun Jan 02, 2005 8:11 pm Reply with quote

You only need NukeSentinel, seriously. You can use either HTTPAuth or CGIAuth, or both, although that would be rather cumbersome.
 
Chip
New Member
New Member


Joined: Jan 02, 2005
Posts: 9

PostPosted: Sun Jan 02, 2005 11:19 pm Reply with quote

I don't seem to have the option for HTTPAuth and CGIAuth isn't Auth'ing. If I could get either working, I'd be greatful. I have Sentinel 2.1.3a and PHPNuke 7.6. .htaccess is
Code:
# -FrontPage-


IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
#<Files .staccess>
#deny from all
#</Files>

#<Files admin.php>
#<Limit GET POST PUT>
#require valid-user
#</Limit>
#AuthName "Restricted by NukeSentinel(tm)"
#AuthType Basic
#AuthUserFile .staccess
#</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName Only registered users can see links on this board! Get registered or login!
AuthUserFile /home/clanbe01/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/clanbe01/public_html/_vti_pvt/service.grp

<Files 403.shtml>
order allow,deny
allow from all
</Files>



RedirectMatch temp ^/index.html$ http://www.clanbeowulf.org/index.php

deny from 195
deny from 219
deny from 200
deny from 213
deny from 193
deny from 12.42.86.122
deny from 202
deny from 203
deny from 80
deny from 69.56.145.164
deny from 67.19.107.242
deny from 69.93.213.58
deny from 64.94.116.60

Yes, I uncomment the CGIAuth section when I want to try it.
.staccess is being written to. Popups just never authenticate.
So if I can get them to authenticate or use HTTPAuth, I'm in biz.
 
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number
Chip
PostPosted: Sun Jan 02, 2005 11:30 pm Reply with quote

I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth?
 
SV_JJSKID
PostPosted: Mon Jan 03, 2005 12:39 am Reply with quote

Cool it all works thanks Raven!


Chips: Check out the Admin Auth List on your Sentinel admin menu. You might have to build the file. But get your answer from the experts to be sure.
 
Anders
Worker
Worker


Joined: Jun 16, 2004
Posts: 157
Location: Sweden

PostPosted: Mon Jan 03, 2005 4:01 am Reply with quote

Hi!
have really prob whit this!!
when i activate....... Save this in /usr/home/web/nuki/.htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /usr/home/web/nuki/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

and when i have done that so cant i access to my site
.........and chmode have i done 2...is there any more i need to do???
 
View user's profile Send private message
Raven
PostPosted: Mon Jan 03, 2005 5:16 am Reply with quote

Chip wrote:
I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth?
If PHP is not compiled as an Apache module, you have to use CGIAuth. NukeSentinel does a check and will not make it available since you can't use it anyway.
 
Raven
PostPosted: Mon Jan 03, 2005 5:17 am Reply with quote

Anders,

Have you encrypted your password and placed it in .staccess?
 
Anders
PostPosted: Mon Jan 03, 2005 6:38 am Reply with quote

hi raven
nope have not done that....
how do i encrypt my pw?
 
Raven
PostPosted: Mon Jan 03, 2005 6:49 am Reply with quote

I believe this is in the documentation, but regardless, see this post Smile Only registered users can see links on this board! Get registered or login!
 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Thu Feb 03, 2005 8:54 am Reply with quote

Well I've tried both http auth and cgiauth in Sentinel and I can't get either to work, and now the basic http auth I did have working before I disabled it to use the one in Sentinel isn't working either

I'm really fed up trying now *sob*

I've checked the pop up issue in the browser and my site's in the allowed popup list so it's not that stopping it working.

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
Raven
PostPosted: Thu Feb 03, 2005 9:09 am Reply with quote

PM me your
site url, adminid/pass
ftp url, id/pass
phpMyAdmin url, id/pass
 
Muffin
PostPosted: Thu Feb 03, 2005 2:49 pm Reply with quote

Just pm'd them to you Raven.

Thank you.
 
Muffin
PostPosted: Mon Feb 07, 2005 5:20 pm Reply with quote

Any luck with my httpauth problems Raven?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©