| Author |
Message |
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
 Posted:
Wed Sep 08, 2004 10:31 am |
|
HTTP Authentication is a process that challenges the user to enter an id and password. So, technically, you could write any number of SSI type scripts to do this. This code has been tested on both PHP type of installations, CGI and as an Apache Module.
This is only valid under Apache. You will need 2 files. One is .htaccess and the other is a file to hold the users and passwords that are allowed access to the file. The .htaccess file will be stored in the folder where admin.php is located, which is your root nuke folder. If you already have a .htaccess just add this code to it. Otherwise you will have to create a .htaccess file. Add this code to .htaccessCode:<Files RELATIVE_PATH_TO_ID_PASS_FILE>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile REAL_PATH_TO_ID_PASS_FILE
</Files>
|
Now the REAL_PATH_TO_ID_PASS_FILE will be site specific, but many *nix sites have a realpath to your public_html/www folder that looks like thisCode:/home/USERNAME/public_html/
|
So, let's assume that your secret file is named mysecretfile. I would make it hidden by naming it .mysecretfile. Now, the contents will be a username:password, like myusername:mysecretpass, except mysecretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you  . The salt value can be whatever you like. Save this script as a .php file, like crypt.phpCode:<form method='post'>
Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
|
So, upon entering your password of 'mysecretpass' with a salt of 'Rv' (remember it can be anything you want), we get an encrypted value of 'RvXXrWfFcualM'. So, we now place myusername:RvXXrWfFcualM in the .mysecret file. Note that we have also protected snooping eyes from directly accessing .mysecretfile (RELATIVE_PATH_FILE) by adding a 'deny from all' directive in the .htaccess file (you could also chmod the permissions to restrict it). In this instance the path is relative to the location of .htaccess so you would just substitute .mysecretfile. So, translating based on the above, your .htaccess file will look likeCode:<Files .mysecretfile>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>
|
Now we upload .htaccess and .mysecretfile to the nuke root folder and hopefully when you try to access the admin.php file you will be challenged appropriately. Please note that you cannot use both HTTP Auth in NukeSentinel™ and .htaccess HTTP Auth. It will give the browser a migraine  . You can also move the .mysecretfile to any location outside of the root. Just modify the AuthUserFile location. In that case you could also remove the 'deny from all' directive as it is outside of the web toot.
Also, here is a quick little diddy to find out your REALPATH. Save this to your root web/nuke folder to discover the path and then delete it!Code:<?
echo 'rp = '.realpath('index.html');
?>
|
 |
| |
|
|
|
Raven
|
| Posted:
Sun Sep 12, 2004 11:26 am |
|
As an addendum to the above post, you can also code for specific user(s) and/or group(s). Suppose you only wanted usernames Bob and Alice to have access. You would code that likeCode:<Files admin.php>
<Limit GET POST PUT>
require user Bob Alice
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>
|
And likewise, you could have a group named 'admins' and you cold code that asCode:<Files admin.php>
<Limit GET POST PUT>
require group admins
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files>
|
|
| |
|
|
|
|
irandoct
Hangin' Around
Joined: Dec 01, 2003
Posts: 39
|
| Posted:
Tue Nov 16, 2004 1:57 pm |
|
Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :
Code:<Files .kimia>
deny from all
</Files><Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>
|
and also my .kimia content is :
my test password is : 321 and salt value is : 11
What's wrong?
Regards |
| |
|
|
|
Raven
|
| Posted:
Tue Nov 16, 2004 2:06 pm |
|
Try Code:<Files .kimia>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>
|
|
| |
|
|
|
|
RTS-Bone
New Member
Joined: Jun 20, 2004
Posts: 9
|
| Posted:
Fri Dec 24, 2004 4:37 pm |
|
I have read everything you said, I have done everything you told me to I tried this last thing : Result : DOESN`T work  ARGHHHHHHHHHHHHH
I`ve spent this whole christmas day trying to figure out how to do this and I couldn`t !
I`m using PHP-Nuke7.5 ... after I do everything, it asks me for password & username, and then it keeps asking me... until an error occurs...  |
| |
|
|
|
|
Raven
|
| Posted:
Sat Dec 25, 2004 10:12 pm |
|
| irandoct wrote: | Dear Raven,
I have followed up your direction howover I receive internal server error message . This is my .htaccess content :
Code:<Files .kimia>
deny from all
</Files><Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/iranport/public_html/demo/.kimia
</Files>
|
and also my .kimia content is :
my test password is : 321 and salt value is : 11
What's wrong?
Regards |
This is only a guess, but try breaking up
</Files><Files admin.php> into
</Files>
<Files admin.php> |
| |
|
|
|
|
RTS-Bone
|
| Posted:
Sun Dec 26, 2004 10:23 am |
|
Thanks, but I tried both...
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
djdiz-e
Regular
Joined: Dec 19, 2004
Posts: 51
Location: Ontario, Canada
|
| Posted:
Sun Dec 26, 2004 2:10 pm |
|
i have alittle problem.
i have subdomain's running PHP-Nuke and the subdomains are sub directorys in the public_html folder and when i setup CGIAuth when the subdomain ower trys to access there admin.php it pops up and asks them to authenticate ..they dont have sentinal installed so is there anyway i can stop this from happening?
right now im just using HTTPAuth that seems to work fine but id like to use CGIAuth if possible
and is there a difference in security between HTTPAuth and CGIAuth?
witch is better? |
| |
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 2:20 pm |
|
You would need to put another .htaccess file in the subdomain folder that turns Authenticate off. |
| |
|
|
|
|
djdiz-e
|
| Posted:
Sun Dec 26, 2004 2:29 pm |
|
so what would i put in that file?
| Quote: | | AuthAuthoritative Off |
thanks for the help raven
i love NukeSentinel™
its the best thing i ever added to my php-nuke site
|
| |
|
|
|
|
Raven
|
| Posted:
Sun Dec 26, 2004 2:43 pm |
|
I think you want AuthType None |
| |
|
|
|
|
SV_JJSKID
New Member
Joined: Sep 06, 2004
Posts: 11
|
| Posted:
Sun Jan 02, 2005 7:22 pm |
|
Hi All,
Hope everyone had fun over the holidays.
I have a couple of quick questions about 7.5...
I used the patched version from this site, got it installed and running. Applied the latest set of patchs to it.
I installed Sentinel uni 2.1.3 and got that running too.
The simple question:
What other security add-ons can and should I be running on 7.5? What are others using?
The more involved question:
I used the .htacces and .mysecretfile method that was described in this post for HTTP Authentication and it works good. My question is does that make the option in Sentinel for .staccess pointless or do I need to use the .staccess too? Is it the same thing or...? I'm confrused
Thanks |
| |
|
|
|
|
Raven
|
| Posted:
Sun Jan 02, 2005 8:11 pm |
|
You only need NukeSentinel, seriously. You can use either HTTPAuth or CGIAuth, or both, although that would be rather cumbersome. |
| |
|
|
|
|
Chip
New Member
Joined: Jan 02, 2005
Posts: 9
|
| Posted:
Sun Jan 02, 2005 11:19 pm |
|
I don't seem to have the option for HTTPAuth and CGIAuth isn't Auth'ing. If I could get either working, I'd be greatful. I have Sentinel 2.1.3a and PHPNuke 7.6. .htaccess is
Code:# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
#<Files .staccess>
#deny from all
#</Files>
#<Files admin.php>
#<Limit GET POST PUT>
#require valid-user
#</Limit>
#AuthName "Restricted by NukeSentinel(tm)"
#AuthType Basic
#AuthUserFile .staccess
#</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Limit GET POST>
#The next line modified by DenyIP
order allow,deny
#The next line modified by DenyIP
#deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName [ Only registered users can see links on this board! Get registered or login! ]
AuthUserFile /home/clanbe01/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/clanbe01/public_html/_vti_pvt/service.grp
<Files 403.shtml>
order allow,deny
allow from all
</Files>
RedirectMatch temp ^/index.html$ http://www.clanbeowulf.org/index.php
deny from 195
deny from 219
deny from 200
deny from 213
deny from 193
deny from 12.42.86.122
deny from 202
deny from 203
deny from 80
deny from 69.56.145.164
deny from 67.19.107.242
deny from 69.93.213.58
deny from 64.94.116.60
|
Yes, I uncomment the CGIAuth section when I want to try it.
.staccess is being written to. Popups just never authenticate.
So if I can get them to authenticate or use HTTPAuth, I'm in biz. |
| |
|
  |
|
Chip
|
| Posted:
Sun Jan 02, 2005 11:30 pm |
|
I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth? |
| |
|
|
|
|
SV_JJSKID
|
| Posted:
Mon Jan 03, 2005 12:39 am |
|
Cool it all works thanks Raven!
Chips: Check out the Admin Auth List on your Sentinel admin menu. You might have to build the file. But get your answer from the experts to be sure. |
| |
|
|
|
|
Anders
Worker
Joined: Jun 16, 2004
Posts: 159
Location: Sweden
|
| Posted:
Mon Jan 03, 2005 4:01 am |
|
Hi!
have really prob whit this!!
when i activate....... Save this in /usr/home/web/nuki/.htaccess :
# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /usr/home/web/nuki/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
and when i have done that so cant i access to my site
.........and chmode have i done 2...is there any more i need to do??? |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jan 03, 2005 5:16 am |
|
| Chip wrote: | I answered part of my own question. I didn't put the complete path to the .staccess.
Ok, now that works. Can anyone now tell my why I don't get the option for HTTPAuth? |
If PHP is not compiled as an Apache module, you have to use CGIAuth. NukeSentinel does a check and will not make it available since you can't use it anyway. |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jan 03, 2005 5:17 am |
|
Anders,
Have you encrypted your password and placed it in .staccess? |
| |
|
|
|
|
Anders
|
| Posted:
Mon Jan 03, 2005 6:38 am |
|
hi raven
nope have not done that....
how do i encrypt my pw? |
| |
|
|
|
|
Raven
|
| Posted:
Mon Jan 03, 2005 6:49 am |
|
I believe this is in the documentation, but regardless, see this post
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
Muffin
Client
Joined: Apr 10, 2004
Posts: 649
Location: UK
|
| Posted:
Thu Feb 03, 2005 8:54 am |
|
Well I've tried both http auth and cgiauth in Sentinel and I can't get either to work, and now the basic http auth I did have working before I disabled it to use the one in Sentinel isn't working either
I'm really fed up trying now *sob*
I've checked the pop up issue in the browser and my site's in the allowed popup list so it's not that stopping it working. |
_________________
Classic Mini rules the bends & bends the rules!
[img] |
|
|
|
|
Raven
|
| Posted:
Thu Feb 03, 2005 9:09 am |
|
PM me your
site url, adminid/pass
ftp url, id/pass
phpMyAdmin url, id/pass |
| |
|
|
|
|
Muffin
|
| Posted:
Thu Feb 03, 2005 2:49 pm |
|
Just pm'd them to you Raven.
Thank you. |
| |
|
|
|
|
Muffin
|
| Posted:
Mon Feb 07, 2005 5:20 pm |
|
Any luck with my httpauth problems Raven? |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
