4f5fe03cbf
plain MD5 encryption and an option to specify additional conditions. Problem reported by Simon Hamilton, request by Markus Liljergren, tested by both.
125 lines
5.4 KiB
Plaintext
125 lines
5.4 KiB
Plaintext
$OpenBSD: patch-USAGE,v 1.2 2008/03/25 23:23:15 simon Exp $
|
|
--- USAGE.orig Mon Sep 10 16:11:37 2001
|
|
+++ USAGE Wed Mar 26 00:10:48 2008
|
|
@@ -28,10 +28,11 @@ can skip to the next phase. Otherwise:
|
|
NOTE: You *don't* have to have this table in a seperate database, you
|
|
can skip creating a new database and use an existing database if it fits
|
|
your needs.
|
|
+
|
|
2. Create the auth table, e.g.:
|
|
prompt> mysql http_auth
|
|
mysql> create table mysql_auth (
|
|
- -> username char(25),
|
|
+ -> username char(25) not null,
|
|
-> passwd char(25),
|
|
-> groups char(25),
|
|
-> primary key (username)
|
|
@@ -48,6 +49,7 @@ can skip to the next phase. Otherwise:
|
|
that, you should have one row in the username/passwd table, and
|
|
multiple rows in the username/group table, one for each group
|
|
the user is in.
|
|
+
|
|
3. Insert the information into the table. Both the username and group fields
|
|
are plaintext, whereas the password field should contain standard UNIX DES
|
|
encrypted passwords (this can be overriden using a directive as well, but
|
|
@@ -62,40 +64,58 @@ Telling apache to protect the page using that informat
|
|
server, and/or you need to specify a password for that user, you'd need
|
|
to add the following line somewhere in your httpd.conf (doesn't really
|
|
matter where):
|
|
+
|
|
Auth_MySQL_Info <host> <user> <password>
|
|
+
|
|
This information can *only* be specified in the server's httpd.conf, since
|
|
it's used server-wide.
|
|
+
|
|
+ you can specify socket name or port number in <host>.
|
|
+ ex.1: Auth_MySQL_Info 'localhost:/tmp/mysql.sock' <user> <password>
|
|
+ ex.2: Auth_MySQL_Info 'remotesrv:3333' <user> <password>
|
|
+
|
|
2. If you're going to use mainly one MySQL database for all of your pages,
|
|
you should probably add the following line to your httpd.conf as well:
|
|
+
|
|
Auth_MySQL_General_DB <database_name>
|
|
+
|
|
The database can be set on a per-directory basis using a different
|
|
directive in .htaccess, as mentioned later in this file.
|
|
+
|
|
3. Create (or update) a file named .htaccess inside the directory you would
|
|
like to protect. Here are a few simple .htaccess files (full
|
|
documentation about the various possible non-MySQL-auth specific directives
|
|
can be obtained from the apache docs):
|
|
+
|
|
|
|
(I) Protect your company's financial information (not recommended to put on
|
|
the web:) to any user that's in the SQL auth table:
|
|
+
|
|
AuthName My Company's Financial Information <-- the realm name, use some informative name
|
|
AuthType Basic <-- keep it that way
|
|
require valid-user <-- allow any valid user to access
|
|
|
|
+
|
|
(II) Allow access only to specific users:
|
|
+
|
|
AuthName My Company's Financial Information <-- the realm name, use some informative name
|
|
AuthType Basic <-- keep it that way
|
|
require user johndoe devnull <-- let only johndoe and devnull access
|
|
|
|
+
|
|
(III) Allow only members of group 'executives' access the information:
|
|
+
|
|
AuthName My Company's Financial Information <-- the realm name, use some informative name
|
|
AuthType Basic <-- keep it that way
|
|
require group executives <-- allow only members of this group to access
|
|
|
|
Note that with Apache 1.3, you would have to encapsulate the AuthName
|
|
with double quotes if it contains spaces, e.g.
|
|
+
|
|
AuthName "My Company's Financial Information"
|
|
|
|
|
|
+
|
|
4. Take a look at the following directives, and see if you need to
|
|
use any of them:
|
|
|
|
@@ -130,16 +150,25 @@ Auth_MySQL_Empty_Passwords on/off
|
|
the page by just specifying their username without any password checking.
|
|
If this is 'Off', they would be denied access. Default: On.
|
|
|
|
-Auth_MySQL_Encryption_Types [Plaintext, Crypt_DES, Crypt_MD5, MySQL]
|
|
+Auth_MySQL_Encryption_Types [Plaintext, Crypt_DES, Crypt_MD5, MySQL, MD5]
|
|
This directive tells the authentication module which encryption type(s)
|
|
to use. It overrides the Auth_MySQL_Scrambled_Passwords and
|
|
Auth_MySQL_Encrypted_Passwords directives if it appears after them.
|
|
More than one encryption type may be specified, to instruct the module to
|
|
check each password through more than one encryption scheme. For example,
|
|
+
|
|
Auth_MySQL_Encryption_Types Plaintext Crypt_DES
|
|
+
|
|
will instruct the module to check each password both as-is, and through
|
|
DES crypt.
|
|
|
|
+ Crypt_MD5: if your system support crypt function which can handle md5,
|
|
+ apache compare password strings by using md5.
|
|
+
|
|
+ MD5: if you choise MD5, your passwd field must have md5 encrypted strings.
|
|
+ in this case, md5 password are stored into MySQL, and,
|
|
+ your system does not need to have crypt_md5 function.
|
|
+
|
|
Auth_MySQL_Encrypted_Passwords on/off
|
|
Whether or not to use standard UNIX DES encrypted passwords. If turned
|
|
on, the module expects the password field to contain standard UNIX DES
|
|
@@ -178,3 +207,13 @@ Auth_MYSQL on/off
|
|
authentication modules (e.g. the flatfile auth module). If it's on,
|
|
and a database name was specified - the MySQL module will be used for
|
|
authentication.
|
|
+
|
|
+
|
|
+Auth_MySQL_Where "strings..."
|
|
+ if you set:
|
|
+
|
|
+ Auth_MySQL_Where "active='Y'"
|
|
+
|
|
+ then, mod_mysql send next SQL statment to MySQL server:
|
|
+
|
|
+ SELECT passwd FROM mysql_auth WHERE username='id' AND active='Y'
|