# .htaccess and .htpasswd password not good and error log

## eltech

so i setup my .htaccess and .htpasswd files.. 

my .htaccess file looks like:

```
AuthType Basic 

AuthGroupFile /dev/null 

AuthUserFile /home/eltech/www/htdocs/mydomain.com/.htpasswd 

AuthName "Triple FX Trading Associates Member Entrance" 

require valid-user
```

the .htpasswd i created at: http://www.zappersoftware.com/Help/md5.php

i did a chmod 755 on this file and chown apache:apache

```
eltech:password
```

the password box pops up... but the password is not accepted..

errorlog shows this..

```
[Tue Jun 28 05:52:19 2005] [error] [client 24.115.50.222] (13)Permission denied: Could not open password file: /home/eltech/www/htdocs/mydomain.com/.htpasswd, referer: http://www.mydomain.com/serendipity_admin.php?
```

the refering page is obviously the page im trying to access...

any ideas? thanks in advance..

----------

## adaptr

First of all, do not place htpasswd files in your web structure - this is a needless security risk.

Second - just use htpasswd to maintain the file, okay ?

It's there for a reason.

```
htpasswd -b -m -c /home/eltech/www/htpasswd <username> <password>
```

----------

## Kruegi

Check the permission of the .htpasswd file.

DON'T use websites for password generation!

The website's owner may log your passwords.

Use the htpasswd2 tool instead.

Thomas

----------

## eltech

 *adaptr wrote:*   

> First of all, do not place htpasswd files in your web structure - this is a needless security risk.
> 
> Second - just use htpasswd to maintain the file, okay ?
> 
> It's there for a reason.
> ...

 adaptr.. thank you.. it now works with no problems.. thanks.. few questions..

- i move the file to a subdirectory, is that ok.. EXAMPLE: /home/eltech/www/passwd/.htpasswd opposed to: /home/eltech/www/.htpasswd .. is that safer? if not, please advise.. thanks..

- to create add more users should i just repeat the same procedure to create the initial user?

----------

## eltech

 *Kruegi wrote:*   

> Check the permission of the .htpasswd file.
> 
> DON'T use websites for password generation!
> 
> The website's owner may log your passwords.
> ...

 Kruegi, i didnt consider this.. all passwords have been changed and doesnt seem anyone has logged in.. now i know.. thanks fo rthe heads up!  :Shocked: 

----------

## eltech

Actually seems all i had to do was: htpasswd -b -m /home/eltech/www/htpasswd <username> <password>

just removing the "-c"

thanks again. what about my other question..

----------

## j4nn3

 *Quote:*   

> - i move the file to a subdirectory, is that ok.. EXAMPLE: /home/eltech/www/passwd/.htpasswd opposed to: /home/eltech/www/.htpasswd .. is that safer? if not, please advise.. thanks.. 

 

By default Apache won't show any files beginning with ".ht". So if your password file is named ".htpasswd", no one shouldn't be able to see it from http://your.address.com/~eltech/passwd/.htpasswd

Anyway it might be safer to move the password file e.g. to your home dir (/home/eltech/.htpasswd), this way outsiders can't see it if apache is configured wrongly.

--

Janne

----------

## wjholden

I use some .htaccess/.htpasswd files, but using mod_auth_mysql made my life a lot easier.  If you have a MySQL database/server you might look into this.  Might not, but it's a thought.

----------

## eltech

thanks for the help guys..

----------

## eltech

OK, everyone got my .htaccess/.htpasswd situation fixed up and working well..

No i will be adding users to be able to access my site which is a blog and has RSS ability... what im worried about is user maybe sharing and linking to my site using the rss feed by using a username and password or even linking via http .. ive looked at some google presented pages, but not sure which i should really be looking at.

can any help me out with an idea?

i do plan to have the users pick monthly new passwords, but it might be useless given they can just adjust the new passwords on the linking sites.

much appreciated.

EDIT: im currently working with this..

```

#RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http(s)?://([a-z0-9-]+\.)mysite.com/ [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://([a-z0-9-]+\.)mysite.net/ [NC]

# The next line is optional

RewriteCond %{HTTP_REFERER} !^$

RewriteRule /* http://%{HTTP_HOST}/ [R,L]
```

----------

## eltech

Bump Bump.  :Smile: 

----------

## wjholden

If I understand correctly, the problem you are experiencing is that a user could potentially create a hyperlink to your feeds in the form of http://username:password@yoursite.com ?  If people share passwords there isn't much hope of preventing outsiders from illegitamitely accessing your site.  What is it that you are trying to accomplish?

----------

## eltech

 *destuxor wrote:*   

> If I understand correctly, the problem you are experiencing is that a user could potentially create a hyperlink to your feeds in the form of http://username:password@yoursite.com ?  If people share passwords there isn't much hope of preventing outsiders from illegitamitely accessing your site.  What is it that you are trying to accomplish?

 exactly as you stated it.. so i guess its not possible.. ok .. thank you..

----------

## wjholden

I think it would be possible to disable links containing the actual username/password, and those regexp's you had could work, I have never tried.  I googled for a few minutes and couldn't find anything about that.  I seem to recall that IE6 with SP2 disables that form of links per request, but a workaround exists and an increasing percentage of users are moving to Firefox so it does not help.  I would say if you are a programmer go through the Apache2 source code and find where it processes that form of a request, then edit the code to disable it.  I'd love to help but I'm busy now, perhaps I will take a glance tomorrow if I remember.

----------

## eltech

No im not a prgrammer of any sort  :Smile:   .. i do appreciate your help; but its not that urgent or important.. dont bother yourself..

the true fact is they wont be able to hotlink anyway unless they have a username a password correct?

----------

## adaptr

Well, yesss... but the first time any of those links is actually used, the whole world knows the password, no ?

Seems pretty pointless then.

----------

## eltech

 *adaptr wrote:*   

> Well, yesss... but the first time any of those links is actually used, the whole world knows the password, no ?
> 
> Seems pretty pointless then.

 umm .. i dont understand but, no one will be using them publicly its just a members site.. i was just asking to see if it was possible to add additional security of the site access by not like allowing http refer or something so even if they used theie uname and passwd it would post to any other site by doing a 'scrape' if you would method of my page..

no public will ever see the usernames and passwords .. dunno where you picked that up form..  :Smile: 

as i siad, it sok .. im ok .. thank you to you guys.. much appreciated..

----------

## adaptr

You agreed with destuxors statement that:

 *Quote:*   

> a user could potentially create a hyperlink to your feeds in the form of http://username:password@yoursite.com

 

This means that as soon as a user with a password actually uses that method to link to a page inside your password-protected site, the whole world will have access - through his account.

That was my point, and there is no simple way to prevent that, unless you are prepared to do referrer preprocessing, and even that can be trivially spoofed.

----------

## eltech

 *adaptr wrote:*   

> You agreed with destuxors statement that:
> 
>  *Quote:*   a user could potentially create a hyperlink to your feeds in the form of http://username:password@yoursite.com 
> 
> This means that as soon as a user with a password actually uses that method to link to a page inside your password-protected site, the whole world will have access - through his account.
> ...

 right meaning you cant block it.. if it could be blocked... and it cant and i understand that ..  :Confused: 

----------

