asg15.htm

apache技术手册

New password:

Re-type new password:</FONT></PRE>

<P>The passwords won't be displayed on the terminal as you type, so as a security measure, htpasswd will ask for the password twice. If the username you entered exists, htpasswd will ask you for the new password.

<BR>

<P>You can create as many password files as you like. However, you'll have to use different filenames to reference them.

<BR>

<BLOCKQUOTE>

<BLOCKQUOTE>

<HR ALIGN=CENTER>

<BR>

<NOTE>Do not put a password file in the directory you are trying to protect. The best place for a password file is outside of your server's document root. </NOTE>

<BR>

<HR ALIGN=CENTER>

</BLOCKQUOTE></BLOCKQUOTE>

<BR>

<A NAME="E69E187"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>Managing DBM and DB Password </B><B>Databases with </B><B>dbmmanage</B></FONT></CENTER></H4>

<BR>

<P>If you have more than a few visitors, you will need to authenticate; you'll want to use DBM or DB password databases. Password lookups using hashed databases are much more efficient. To manage DBM password files, you'll use the dbmmanage script. dbmmanage is a Perl script, so you'll need to have Perl installed. Perl is an interpreted programming language that is widely used for CGI program development. The Perl program is located in the support directory. You may have to edit the location of the Perl binary on the first line of the script to match the location of your copy. You'll also need to set the execute bit on the script so that your shell will execute it. The syntax to the dbmmanage program is

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">dbmmanage <I>dbmfile</I> [adduser] [add] [delete] [view] <I>username</I> <I>password</I> <I>group</I></FONT></PRE>

<P>The name of your DBM database is <I>dbmfile</I>; if it doesn't exist, it will be created for you. Note that DBM databases may be implemented as two files: <I>dbmfile</I>.pag and <I>dbmfile</I>.dir. DBM files are not user readable. They contain binary information. Don't try to edit them by hand or alter their contents with anything besides the dbmmanage tool. The hashed database routine needs them both to operate correctly.

<BR>

<BLOCKQUOTE>

<BLOCKQUOTE>

<HR ALIGN=CENTER>

<BR>

<NOTE>When I refer to <I>dbmfile</I> I am talking about the base name of the file without the .pag or .dir extensions! The DBM code used to access the files automatically references whichever of these files it needs to work with. All your references to DBM files should just specify the base name of the file, excluding any suffixes.</NOTE>

<BR>

<HR ALIGN=CENTER>

</BLOCKQUOTE></BLOCKQUOTE>

<P>The adduser option to dbmmanage encrypts the <I>password</I> field. You can specify as many groups as you like. Just separate them with a comma (,) without any surrounding whitespace. Adduser is the option you'll use for adding users to your database. Here's an example:

<BR>

<PRE>

<FONT COLOR="#000080"># support/dbmmanage passwords/password adduser user1 pw group1,group2

User user1 added with password pw:group1,group2, encrypted to XXZx5yHFQJRp.: group1,group2

# support/dbmmanage passwords/password adduser user2 pw group2

User user2 added with password pw:group2, encrypted to XXZx5yHFQJRp.:group2</FONT></PRE>

<P>The add option adds a key/value pair. You can use this to add descriptions or notes to your DBM file. Just make sure your key value doesn't overwrite a username. Also, if your value has more than one word, quote the contents:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"># dbmmanage dbmfile add <I>key</I> &quot;<I>This is a multiword value&quot;</I></FONT></PRE>

<P>The<B> </B>delete<B> </B>option<B><I> </I></B>deletes a entry matching <I>key</I>:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"># dbmmanage <I>dbmfile</I> delete <I>key</I></FONT></PRE>

<P>The view<B> </B>option displays all entries in dbmfile:

<BR>

<PRE>

<FONT COLOR="#000080"># support/dbmmanage passwords/password view

user1 = XXZx5yHFQJRp.:group1,group2

user2 = XXZx5yHFQJRp.:group2</FONT></PRE>

<BR>

<A NAME="E68E167"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>Group Authentication</B></FONT></CENTER></H3>

<BR>

<P>Besides authenticating users on an individual basis, you can group users. This grouping process is similar to the grouping concept used for permissions under UNIX. Grouping users is a convenient method for providing a finer degree of access control. It allows you to manage many users as a single entity.

<BR>

<P>If you request membership to a particular group as a requirement to access materials, then users not only need to provide a valid login and password, but they also need to be members of the specific group in order to gain access.

<BR>

<P>To enable group authentication to your document root, you'll need to edit your AuthGroupFile directive to point to a valid group file. As in the previous section, the directive you use to specify the location of your group file will vary depending on the module you use to provide the authentication. AuthGroupFile is available on the base release because the module mod_auth is compiled by default into Apache. The other variants, AuthDBMGroupFile and AuthDBGroupFile, are available if you reconfigure and recompile Apache to include mod_auth_dbm or mod_auth_db, respectively. Here's a sample configuration:

<BR>

<PRE>

<FONT COLOR="#000080">&lt;Directory /usr/local/etc/httpd/htdocs&gt;

 AllowOverride None

<I> </I><I>AuthUserFile /usr/local/etc/httpd/passwords/passwordfile</I>

<I> </I><I>AuthGroupFile /usr/local/etc/httpd/passwords/groupfile</I>

 AuthName These documents are only available to authorized users in our domain name

 AuthType Basic

 &lt;Limit Get&gt;

 require group <I>group1 group2 ...</I>

 order deny,allow

 deny from all

 allow from <I>domain</I>

 &lt;/Limit&gt;

&lt;/Directory&gt;</FONT></PRE>

<P>The only changes made to the previous section were to the AuthGroupFile<B> </B>directive. Previously, I disabled group authentication by pointing it to /dev/null as the group file. I also modified the require directive. Earlier I was allowing any valid users in the password file. Now I am requiring that, besides being in the password file, the user belong to either <I>group1</I> or <I>gro</I><I>u</I><I>p2</I>.

<BR>

<P>As previously, both the directive and the file used for group authentication depend on the module you are using:

<BR>



<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="80%" CELLPADDING=2 >

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

<BR>

<P ALIGN=CENTER>

<CENTER>

<FONT COLOR="#000080"><B>Module</B></FONT></CENTER>

<BR>

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

<BR>

<P ALIGN=CENTER>

<CENTER>

<FONT COLOR="#000080"><B>Group Authentication Directive</B></FONT></CENTER>

<BR>

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

mod_auth

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

AuthGroupFile <I>groupfile</I>

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

mod_auth_dbm

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

AuthDBMGroupFile <I>dbmgroupfile</I>

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

mod_auth_db

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

AuthDBGroupFile <I>dbgroupfile</I></FONT>

</TABLE><P>To create a group file for use with the mod_auth module (AuthGroupFile directive), you'll need a text editor.

<BR>

<P>The format of the file is simple:

<BR>

<BR>

<PRE>

<FONT COLOR="#000080"><I>groupname: user1 user2 user3 ...</I></FONT></PRE>

<P><I>groupname</I> is the name for the group fo<A NAME="I4"></A>llowed by a colon (:), and then followed by a list of usernames that appear in the password file separated by spaces. Different groups are separated by a new line (\n) character:

<BR>

<PRE>

<FONT COLOR="#000080">group1: user1 user2 user3

group2: user2 user3</FONT></PRE>

<P>You'll need to restart httpd for your changes to take effect.

<BR>

<P>If you are using mod_auth_dbm or mod_auth_db, the group management process is a little easier. dbmmanage allows you to specify group memberships right on the password file.

<BR>

<P>Using the adduser option to dbmmanage, you can assign group memberships at the same time you add a user. You can specify as many groups as you like for each user. Just separate them with a comma (,) without any surrounding whitespace:

<BR>

<PRE>

<FONT COLOR="#000080"># support/dbmmanage passwords/password adduser user1 pw group1,group2

User user1 added with password pw:group1,group2, encrypted to XXZx5yHFQJRp.: group1,group2

# support/dbmmanage passwords/password adduser user2 pw group2

User user2 added with password pw:group2, encrypted to XXZx5yHFQJRp.:group2</FONT></PRE>

<P>Then all you need to do is reference the same password file for group information:

<BR>

<PRE>

<FONT COLOR="#000080"> AllowOverride None

<I> </I><I>AuthDBMUserFile /usr/local/etc/httpd/passwords/passwordfile</I>

<I> </I><I>AuthDBMGroupFile /usr/local/etc/httpd/passwords/passwordfile</I>

 AuthName These documents are only available to authorized users in our domain name

 AuthType Basic

 &lt;Limit Get&gt;

 require group <I>group1 group2  </I>

 order deny,allow

 deny from all

 allow from <I>domain</I>

 &lt;/Limit&gt;</FONT></PRE>

<P>In case it was not obvious, the examples have been using two or more forms of authentication at the same time. Using domain-level access plus user and group authentication methods provides additional levels of security because users need to meet several criteria before gaining access: They need to access the material from a specified domain, then they need to have a valid login and password, and finally their login name must belong to a group.

<BR>

<BR>

<A NAME="E68E168"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>Summary</B></FONT></CENTER></H3>

<BR>

<P>As mentioned earlier, the access control and authentication methods provided by Apache can help to make your server relatively safe; however, no single mode of protection is bulletproof. If you can trust your DNS, then access control is a safe method for restricting access.

<BR>

<P>Passwords are transmitted in clear text form and encoded to ensure that they arrive intact. However, this encoding does not provide an encryption layer, so any user along the network could intercept a request to your server and decode the password. Finally, even if you trusted that no one will listen for passwords, remember that transactions on plain vanilla versions of Apache are not encrypted. Your materials are sent in world-readable form.

<BR>

<P>Beginning with Apache 1.1, some new authentication modules and methods are available. One of them, mod_auth_msql, allows you to store authentication information on a relational database (mSQL). For more information on how to use the mod_auth_msql directives, please refer to <A HREF="asg10.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg10.htm">Chapter 10</A>.<A NAME="I5"></A>

<BR>

<P ALIGN=LEFT>

<A HREF="asg14.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg14.htm" TARGET="_self"><IMG SRC="purprev.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purprev.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Previous Page"></A>

<A HREF="#I0" TARGET="_self"><IMG SRC="purtop.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purtop.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Page Top"></A>

<A HREF="index.htm" tppabs="http://docs.rinet.ru:8080/Apachu/index.htm" TARGET="_self"><IMG SRC="purtoc.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purtoc.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="TOC"></A>

<A HREF="asg16.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg16.htm" TARGET="_self"><IMG SRC="purnext.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purnext.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Next Page"></A>


</BODY></HTML>