Sara Ziemendorf

Occasionally, you might find the need to restrict
access to part or all of your website. This can be done in one of three
ways: limiting access by computer address, or by requiring passwords and/or
login IDs before you page is accessible, or a combination of the two.
There are cgi scripts for password protection (particularly if you want
to restrict access to a single document), as well as javascript password
routines (although we have found big security holes in a few of them).
If you don't want to deal with programming, however, you can use .htaccess
and .htpasswd. These are two files you created to designate the area (or
"realm") you wish to protect, and/or to assign login IDs and
passwords for individual students (or one global login ID and password
which you could give to all of your students).

To limit by computer address.

1. Log in to your server account by SSH. You will be at the command prompt
in your \home directory.

• PC users: If you don't have an SSH client, you can
  get one from http://shelf.doit.wisc.edu/securecrt/.
  You'll need to login with your
  
  netID and fill out a form to download it.
  • Using Secure CRT to connect to your server:
    

    After it is installed, create a new session. (File, Connect,
    New Session [third icon from the left]).

    • Name: you can type anything you want.
    • Change the protocol to SSH2.
    • The host name is the name of your server. Examples: german.lss.wisc.edu,
      frit.lss.wisc.edu, ling.wisc.edu
    • Port should continue to be 22
    • Enter your username. This is whatever your server administrator
      has told you is your username.
    • Click OK.
  • To connect, just double click on the named session you created.
    You will be prompted to accept a certificate if this is the first
    time you connect, and you'll have to type in the password that your
    server administrator has created for you.
• Mac OS X users: You have a built-in SSH client. It
  is called Terminal. You can find it in Applications, Utilities, Terminal.
  Open it and type this to connect "ssh <your username>@<servername>".
  Example: Let's say I have an username of Harold on the IMP server. I
  might type "ssh harold@imp.lss.wisc.edu" to connect. You will
  be prompted for you password and may be asked to accept the certificate
  for that server.

2. Change into the directory you want to restrict.

• If this is your entire website, you would type cd public_html.
• If you want to protect a subset of you website, create a directory
  (mkdir <name of new directory>) under
  public_html for the documents you want to be protected and then change
  directory (cd) over to that directory (cd <name of new
  directory>).
  • For example, if I wanted to limit access to a testing page called
    test1.html, I would first create a directory to put it in.
    
    mkdir public_html/tests
    
    and then move into that directory for the next step:
    
    cd public_html/tests

3. Create an userID and password file by typing nano .htaccess
This will open a new file called ".htaccess". This wil open
a text editor called "nano" and a new file called ".htaccess".
The dot in front of the file name means it will be hidden, which makes
it a tad more secure. (Actually, you could call the file anything you
wish, .htaccess is simply a convention.)

4. Type the following lines as they appear below, including the spaces
and case:

<Limit GET POST PUT>

order deny,allow

deny from all

allow from 144.92. 128.104. 146.151.

</Limit>

Note that there is no space after deny, in line 2 and there
is a space between the 144.92. and 128.104 and 146.151. (Be sure to include
the trailing dots after these numbers.) The numbers we allowed access
from are the UW IP numbers. This will allow access to only UW faculty,
staff, or students.

To limit access to just a few computers, type in the IP numbers of those
particular computers instead.

allow from 144.92.165.9 144.92.115.122

in line 4. (don't use commas between the numbers, just spaces.)

5. Hit Ctrl-x and then y
and then hit <Enter> to exit nano and
save the file.

6. Set permissions on your .htaccess file by typing at the prompt chmod
644 .htaccess

Back to Top

To Limit by user and/or password

1. Log onto your <server> account by SSH.

• PC users: If you don't have an SSH client, you can
  get one from http://shelf.doit.wisc.edu/securecrt/.
  You'll need to login with your netID and fill out a form to download
  it.
  • Using Secure CRT to connect to your server:
    
    After it is installed, create a new session.
    
    (File, Connect, New Session [third icon from the left]).
    • Name: you can type anything you want.
    • Change the protocol to SSH2.
    • The host name is the name of your server. Examples: german.lss.wisc.edu,
      frit.lss.wisc.edu, ling.wisc.edu
    • Port should continue to be 22
    • Enter your username. This is whatever your server administrator
      has told you is your username.
    • Click OK.
  • To connect, just double click on the named session you created.
    You will be prompted to accept a certificate if this is the first
    time you connect, and you'll have to type in the password that your
    server administrator has created for you.
• Mac OS X users: You have a built-in SSH client. It
  is called Terminal. You can find it in Applications, Utilities, Terminal.
  Open it and type this to connect "ssh <your username>@<servername>".
  Example: Let's say I have an username of Harold on the IMP server. I
  might type "ssh harold@imp.lss.wisc.edu" to connect. You will
  be prompted for you password and may be asked to accept the certificate
  for that server.

2. Create the password file.

• Type htpasswd -c .htpasswd username (where
  username is the login name you want someone to use and .htpasswd is
  the name of the password file to be created)
• You will be prompted to create a password. For security and legal
  reasons you should avoid using student ID numbers for IDs or passwords.
• The -c option is for creating the file initially; subsequent modifications
  should be done using htpasswd .htpasswd username.

3. Determine the full directory path by typing pwd <Enter>
(you will need to type this into the file you create next, so you might
want to jot it down).

4. Change into the directory you want to restrict.

• If this is your entire website, you would type cd public_html.
• If you want to protect a subdirectory under that, create the subdirectory
  (mkdir <name of new directory>)and then
  change directory (cd <name of new directory>)
  over to it. For example, if I wanted to limit access to a testing page
  called test1.html, I would first create a directory to put it in (mkdir
  public_html/tests) and move into that directory for the
  next step (cd public_html/tests).

5. Create an .htaccess file in the directory to be protected by typing
nano .htaccess This will open a text editor
called "nano" and a new file called ".htaccess." The
dot in front of the file name means it will be hidden, which makes it
a tad more secure. (Actually, you could call the file anything you wish,
.htaccess is simply a convention.)

6. Type the following lines as they appear below, including spaces and
case.

AuthUserFile full-path-to-the-.htpasswd-file/.htpasswd

AuthName name-of-the-protected-directory

AuthGroupFile /dev/null

AuthType Basic

<Limit GET POST PUT>

require valid-user

</Limit>

Full-path-to-the-.htpasswd-file, and name-of-the-protected-directory
should be substituted appropriately.

Name-of-the-protected-directory can be substituted with anything
you want really (it's what will show up in the title bar of the dialog
box asking people for their login ID and password). By convention it is
just the directory name.

There should be no space between the path in line 1 and /.htpasswd (or
whatever you have called your password file).

"valid-user" is a command that will reference any username
listed in the .htpasswd file.

You could, if you wish, restrict it to only one or several names in that
file by listing the usernames themselves instead of valid-user (with a
space between each) such as: require user karen bruno

7. Hit Ctrl-x and then y and
<Enter> to exit nano and save the file.

8. Set permissions on your .htaccess file by typing at the prompt chmod
644 .htaccess

Back to Top

Limiting by address OR user

You can limit access to someone either on the Madison campus OR limit
by requiring a valid login ID and password by making use of the "satisfy"
directive. This would be useful in situations where you generally want
to limit access to campus, but you also want access to your website when
you are out of town.

1. Follow the directions above (in "To Limit by User") to
create your .htpasswd file.

2. Follow the directions above (in "To Limit by computer address")
to create your .htaccess file, but substitute the following lines for
the <Limit...</Limit> lines:

order deny,allow

deny from all

allow from 144.92 128.104. 146.151.

require valid-user

satisfy any

3. Note: there is no space between deny, and allow
in the first line.

Back to Top

Troubleshooting .htaccess

• Note that the word "htpasswd" is not "htpassword"
• There is a space between AuthUserFile and the full path name, but
  no space between the path and /filename
• There is a space between "htpasswd" and "-c"
• Remember that the command to add names to the .htpasswd file is htpassed
  .htpasswd username (with no "-c"). If you want to delete names
  from the file, you can bring the file into the pico editor and delete
  the line with the users name.
• Be sure you use "valid-user" in the .htaccess file or that
  the usernames you list appear exactly the same as they appear in the
  .htpasswd file.
• Check your capitalization in your .htaccess file. It should be <Limit>
  not <limit>.
• Make sure your .htaccess file resides in the directory in which you
  have placed the documents you want to protect.
• Be sure to set permissions on your .htaccess file using chmod 644
  .htaccess
• Be sure to set permissions on your .htpasswd file using chmod 644
  .htpasswd

Back to Top

How safe is it?

The Basic authentication scheme (the one used here) transmits passwords
across the Internet unencrypted, so they could be, in theory, intercepted.
For this reason (and others) it is not good practice to use student IDs
as login IDs or passwords.

That being said, the username and password is as secure as any username/password
system, in that end-users should not tell others their password, or write
it down, or make it easily guessable. .Htpasswd is a plain text file,
and even though the passwords in it are encrypted, they are not completely
safe against decryption, so the file should reside in your /home directory
- not in your /home/public_html directory where it would be accessible
to other users on the system.

Additionally, if you want to use the new Web Initial Sign On (WebISO)
system, you can have your students signon to your website using their
netID. This isn't something you can do this yourself, but if you want
to discuss this as an option for your class website, please contact Bruno
Browning at bruno@lss.wisc.edu.

Lastly, if security needs to be really tight, we can set your website
to use Secure Sockets Layer. In this technique, we can set your website
so that users authenticate securely with a certificate which they are
prompted to accept. You may have seen this when accessing secure sites
such as online shopping sites or your bank. If you are interested in discussing
this, please contact Bruno Browning at bruno@lss.wisc.edu.

Back to Top

More info on .htaccess

For more information on how to set up user authentication, see the NCSA
Tutorial at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html
or Apache Week's special article at http://www.apacheweek.com/features/userauth

Back to Top

Created by Karen Tusack (karen@lss.wisc.edu)

Updated by Sara Ziemendorf (sara@lss.wisc.edu)