Fun with .htaccess #2: Password Protection
It is possible to password protect an entire folder on a site by putting two files into it. One, .htaccess, specifies that authentication is required, the other, .htpasswd, stores the name and password. Examples are given below.
.htaccess
AuthUserFile /path/to/.htpasswd AuthGroupFile /dev/null AuthName [Name of Realm] AuthType Digest require user students
.htpasswd
students:haCixAg7lGSbg
.htaccess
You don't need to understand everything in the above files. With regard to .htaccess you can just copy whats above and make some changes. The first line specifies the location of the file with user names and passwords. Note that this specifies the location on the file-system and not on the webserver. For example if your folder is /~username/private/ on the webserver it may be /home/username/public_html/private on the file-system. Simply put, the URI will not do.
The next line to edit is the AuthName line. This simple gives a unique name to the realm (folder basically) being protected. Replace [Name of Realm] with something that'll be unique across the site. A good rule of thumb is to use the name of the folder you're putting the .htaccess file in.
The other line you need to pay attention to is the last line. Or rather the last word in the last line. This is the user name of the only user allowed to log in. In this case that user is called students. If you want to change the user name, you'll have to change this line, and then make changes to the password file, .htpasswd.
.htpasswd
This file contains the users and their passwords. As you can see, the password is encrypted. To create a username/password combination, you'll need to use a special utility to create a line, or alternately a password generating website like this one. It's pretty obvious how it works. Once you've generated the text, copy it and paste it into .htpasswd over the original line.
If you're using some form of Unix, the program you'll need is called htpasswd. It's shipped with the Apache webserver, and may be available if you telnet into your site's server. To use it to create the .htpasswd file, cd into the appropriate folder and type
htpasswd -cb .htpasswd [username] [password]
So, in summary, to protect a part of a site, create the two files with the given names, create a name/password pair in .htpasswd, set up the path to .htpasswd and the username in .htaccess and then upload the two files to the directory you wish to seal.
Setting the FTP/Telnet Password
To set the password you use to FTP or telnet into the site, telnet into your server (e.g. www.bfeeney.uklinux.net), and at the prompt type
passwd
You'll be asked to type in your current password, then the new password, and then the new password a second time. For security reasons the passwd program doesn't show anything you type onscreen. Not even asterisks. It'll just remain blank. Don't worry though, the program does know what you're typing. Try to keep a note of the new password, if you forget it there's no easy way to fix it.
Note that for security reasons is is very rare these days to find servers, particularly with ISPs that allow telnet access. Some may offer access through SSH, which is like a secure version of telnet, but even that is rare. To use SSH from the commandline, type
ssh -l [your username here] [your server name here]
Once you connect the procedure is almost exactly the same as with telnet.
