by Gary Lee

Keep those out who should not be there using htpasswd.

Sometimes people like to restrict access to particular sections of their Web sites. These sections might include internal documents, private messages, or images of the company Christmas party that explain the weird marks on the conference table.
January 10, 1999

An easy way of doing this is using the Basic HTTP Authentication method. UNIX Web servers should support this method, and you don't have to bother the sysadmin from her lair if you can write a couple files on your own (note, in some circumstances the sysadmin will still need to set up the server to access your files).

How does it work?

The quickest, easiest way to restrict access using one username and password requires you to write two text files. The first one is called ".htaccess" and is placed in the directory you wish to restrict.

For example, if the files I'm protecting are in /somedir/magazine/tech/articles/a01/, in that directory I have a file named .htaccess that looks like:

AuthUserFile /someotherdir/.htpasswd
AuthGroupFile /dev/null
AuthName My Dog Did A Meep On The Rug
AuthType Basic

<LIMIT GET>
require user Xena
</LIMIT>

The bottom three lines indicate that only Xena, my dream warrior of love, can access the directory this file is in. The top line contains the location of the password for Xena (/someotherdir/.htpasswd). The AuthGroupFile line is used when you want to have multiple usernames. In this case, there is only one user name, so we point this line to the UNIX black hole of nothingness, /dev/null. The third line is the title of the authentication message box that pops up, while the fourth line indicates that this uses Basic authentication. There are other types, but this is the easiest (and least secure...).

The second file written for this example is one line...but oh what a line. The file is called ".htpasswd", and its location is described in the first line of ".htaccess".

/someotherdir/.htpasswd looks like:

Xena:p,/gLB5VOKSjU

To the left of the colon is Xena, my dream warrior of love. To the right is what happens to the word "warrior" after you munge it through the UNIX function crypt. The easiest way to make this file is bribe your sysadmin into getting the program "htpasswd". It is sometimes included with the Web server, so she might not have to look far.

If you do have access to "htpasswd", then the above file would be created like this:

htpasswd -c /someotherdir/.htpasswd Xena

You would be asked to type in the password, the appropriate file would be made, and you can put "Web Security Expert" in your resumé. Just kidding...you can only put "Web Security Technician".

Unfortunately, my sysadmin doesn't listen to me, mainly because he is jealous of my good looks. So I used perl's crypt function:

perl -e 'print crypt("warrior",",9r-jdQI8,.")'

You can insert whatever random junk you want as the second argument for the crypt function. Crypt uses it to help munge up the first argument. There are a zillion ways to do it...just ask the nearest person who has that permanent "computer dork" slouch. Anyway, place the output to the right of the colon next to your username, and you are done. You may now put "Perl Encryption Programming Expert" in your resumé.

But I want multiple usernames...

Ok, change the ".htaccess" file so it looks like:

AuthUserFile /someotherdir/.htpasswd
AuthGroupFile /someotherdir/.htgroup
AuthName My Dog Did A Meep On The Rug
AuthType Basic

<LIMIT GET>
require group allowed
</LIMIT>

See how "AuthGroupFile" points to a file, instead of the black hole /dev/null? Also, the "require" line names a group name ("allowed") instead of a single user name ("Xena", dream warrior of love).

Next, make the ".htgroup" file mentioned above:

allowed: Xena Herc bob obiwan

If you guessed that only the usernames "Xena", "Herc", "bob", and "obiwan" would be allowed access, you are correct and can put "Mensa-qualified" on your resumé.

Finally, add the passwords to the ".htpasswd" file. If you are using the "htpasswd" program, you don't have to put the "-c" if the file already exists. The "-c" stands for "create the file".

Hence, you might execute the following commands:

htpasswd -c /someotherdir/.htpasswd Xena
htpasswd /someotherdir/.htpasswd Herc
htpasswd /someotherdir/.htpasswd bob
htpasswd /someotherdir/.htpasswd obiwan

Or you could manually munge the passwords and create the file so it looks like:

Xena:w93,voe9tkhlT
Herc:Nf04kOPl2kf14
bob:BiIEjg8y75JFD
obiwan:NBuY64rNDczGM

Voila. Remember:

1. Make the .htaccess file
2. Make the .htgroup file if necessary
3. Make the .htpasswd file

And now you can make others imagine how those marks on the conference table got there.

For more information, see the sequel to this article, Zen II, Password Incorrect - more about setting up password protection.

Gary Lee
was a co-owner of meep! media inc. (www.meep.com), an Internet and Intranet consulting company now gone the way of many good Internet companies and under new ownership. He was also one of the programmers, and creator of meep! media's first product, meep!Board, a message board system.