Auth User File

(From the Apache documentation)

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.

Each line of the user file contains a username followed by a colon, followed by the crypt() encrypted password. The behavior of multiple occurrences of the same user is undefined.

The utility htpasswd which is installed as part of the binary distribution, or which can be found in src/support, is used to maintain this password file. See the man page for more details. In short

htpasswd -c Filename username
Create a password file 'Filename' with 'username' as the initial ID. It will prompt for the password. htpasswd Filename username2
Adds or modifies in password file 'Filename' the 'username'.

htpasswd Filename username
- should be used when Filename already exists.

Note that searching large text files is very inefficient; AuthDBMUserFile should be used instead.

Security:

Make sure that the AuthUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

Also be aware that null usernames are permitted, and null passwords as well (through Apache 1.3.20). If your AuthUserFile includes a line containing only a colon (':'), a 'Require valid-user' will allow access if both the username and password in the credentials are omitted.
See also AuthName, AuthType and AuthGroupFile.

-- MarkPearrow - 02 Feb 2005
Topic revision: 22 Dec 2009, ArthurProkosch
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology