Skip to content Skip to navigation

Security Notes

Introduction

The security of user auth passwords as they get passed over the network is not absolute. Even though they're "uuencoded," a determined person with the right technology can probably still figure them out. Of course, if your page contains something a hacker would go to that much trouble to obtain, you shouldn't be protecting it via "Basic" authentication; you may not even want it on the web at all.

Do not select a password that you use for any other purposes: the security of those other systems will be compromised if you do. In particular, do not use SUNet ID passwords. Remind your users of this when they choose their passwords for accessing your directories.

Your .htpasswd and .htgroup files are just files; as such, they can be opened and read by anyone who knows where to find them online. People who find these files will be able to see not just the names of your valid users but their encrypted passwords as well. Fortunately, there's no need for you to put these files in your "WWW" directory (where they might be accessible even over the web). The following steps will help protect your password and group files:

Put password and group files in a web-inaccessible directory

Make a special directory outside your WWW hierarchy (for example, in your AFS home directory) where you can hide web-related files you don't want others to see. Browsers will not be able to get at files outside your WWW hierarchy. You could, for example, create a separate directory for these files in "/afs/ir/users/y/o/yourname/web".

Set the AFS perms

Limit AFS access to this directory so just you and the server can get in. Type:

fs setacl dir system:www-servers read

where dir is the name of the directory you have created or chosen for hiding your web-related files.

Now remove permissions from system:anyuser and system:authuser by typing the following two commands:

fs setacl dir system:anyuser none

fs setacl dir system:authuser none

More security

You can also give password and group files different names - .htpasswd and .htgroup are just suggested, default names. Remember to specify the correct names in the AuthUserFile and AuthGroupFile directives in your .htaccess file.

Last modified March 28, 2012