TUCoPS :: Web :: General :: httpauth.txt

HTTP Basic Authentication explained 


.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
                HTTP Basic Authentication explained by Wyzewun
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.

If you have ever had an experience where your browser has popped up a window
containing a message something to the effect of...

Username and Password Required
Enter username for secret-pr0n-archive at www.posthuman.za.net

... then you have come into contact with a server that uses HTTP Basic
Authentication. This is probably the most common method of protecting access
to non-public documents on webservers and works exactly the same way on all
webservers. Also note that my example banner is from Netscape - other browsers
will vary - but the idea remains the same. Just make sure not to get confused
between this and other fake "authentication" systems like Javascripts that go
to whatever directory is given to them as a password.

Basically, we know a server is using this scheme if we get a HTTP error 401
when we give the wrong password, or don't supply one. So if when trying to
access http://www.posthuman.za.net/pr0n you get an error 401 you know you
need a l/p to access it. Okay, so we know we can't access Post-Human's neato
Goat Porn archive. But if we could, what would the request look like?

GET /pr0n HTTP/1.1
Authorization: Basic mNsJQw2jAJDSlDsdsh==

So should we pick this up in our sniffer logs, its useless, coz it's encrypted
right? Errr... Nope. That's Base64 encoding, not encryption, duh. :) All we
need to do to decode this is a little bit of perl like this...

use MIME::Base64;
print decode_base64("mNsJQw2jAJDSlDsdsh==");

Oh, and if ya don't have the MIME::Base64 module you can download it from
http://www.perl.com/CPAN - it's used for e-mail handling stuff, but can prove
useful for causes such as this one. :) Anyway, when decoding that we see it
really said "ghay.juzer:eyeyamsoleet" - that being the username, followed by a
colon, and then password. In plain text!

So we know that HTTP Basic Authentication offers no real security, but perhaps
we want to implement it for something which a fairly low amount of security
will do for, or for something to do on a rainy day just to see how it's done.
So this is how to set it up under Apache...

First off, we need to create a password file. We do that using the htpasswd
command like so...

[admin@kung-fusion]# htpasswd -c /etc/httpd/conf/passwh0rdz

We then add users to it like so...

[admin@kung-fusion]# htpasswd /etc/httpd/conf/passwh0rdz ghay.juzer

Then you will be prompted to enter the chosen password for ghay.juzer twice,
and the results will be stored in /etc/httpd/conf/passwh0rdz like so...

ghay.juzer:tM0.PnhfVy76k

Btw, in case ya can't see - thats DES encryption over there. That file is also
world readable, so it may cause you a bit of hassle if you don't set up Basic
HTTP Authentication correctly. What I mean by that is make sure there are *no*
common passwords, and preferably, no common usernames either between these
users and people with shell accounts, access to your FTP daemon etc.

Anyway, so we now have a password file, and we need to setup the directory to
protect. So we edit a line like this into /etc/httpd/conf/srm.conf

<Directory /home/httpd/www.posthuman.za.net/pr0n>
  AuthType Basic
  AuthName secret-pr0n-archive
  AuthUserFile /etc/httpd/conf/passwh0rdz
  require valid-user
</Directory>

The AuthName is what gave the name to the Netscape banner I showed you at the
beginning of this article. AuthType is Basic (as oppossed to other, more
secure authentication methods like "Digest" which are great but haven't been
implemented by any browsers yet.) AuthUserFile is where our passwd file is.
And instead of "require valid-user", we could limit access to this directory
to only certain users in the passwd file. So in a passwd file containing
ghay.juzer, jhaypee, warez.mastah and seckzdonkey, we could say...

  require ghay.juzer warez.master seckzdonkey

..so that jhaypee could not steal our z3r0-d4y k0d3z even though we put him
in the passwd file!@#$ Phj34r!@#$ :P

I would include how to do this under IIS5 as well but I don't have NT yet. :(
Maybe I'll get a nice big fan, overclock my Celeron 300A to 450 or something 
similarly insane, chuck in another 32MB of RAM so I have 64MB, and then 
dual-boot NT5 and Solaris x86 on it. That would be nice, because I really 
need to start playing with NT locally more often and because Solaris is just 
plain elite - especially if I'm going to be playing with Java. Hmm, NT5 will
probably be quite a bitch though, coz although it's more stable than 9x, it
wants decent hardware. :( Oh well, I'll just give it a shot, and if it runs
like shit - it'll just have to come off again. Heh, I'll probably end up just
sticking with fBSD 3.3 and *shudder* Win98.

I'm digressing badly here, and the article is basically finished. :) Anyway,
that was, in a nutshell, HTTP Basic Authentication, why it sucks, and how you
can have it if you want it anyway. Hope it was of some use to you...

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH