Sir,
I gone through
"http://stackoverflow.com/questions/4736413/apache-htpasswd-secure-password-change/7421052#7421052" link. It is confusing, So could anybody please clarify these below doubts
1) # ls -la .htpasswd -rw-r--r-- 1 www-data root 18 10. Mai 16:30 .htpasswd
For above file, should we create it under /var/www in the webserver? and this file is nothing but the same in which we are copying that bash shell script. isn't it?

2) # cat .ssh/authorized_keys
command="/var/www/.htpasswd.sh" ssh-rsa AAAA... user@host
The 2nd one is not clear. Should we do this in the web server or in every client machine. Could you please show me with some example. Because I copied as it is but it is not working. what about "AAAA... user@host", should we type AAAA... also and user@host means who and which. I added as "roopa@192.168.0.3"(which is the client PC username and IP address) in .ssh/authorized_keys under root's home directory of the web server, and ran "ssh apache@localhost" and ran "ssh apche@(webserverIP) from the client machine. I got connection refused error for 1st one, asking apache password for 2nd one. I gave username as apache because I am running centos(web server) and home dirctory of apache is /var/www. So I could not understand and I request you to explain with full details.

3) As per script I saw mkpasswd. I ran in both ubuntu & cent OS as "whereis mkpasswd". I neither found the path in cent OS nor in ubuntu. Is it additional package and should it be installed before doing these all things?
I request you all to clarify the above doubts or post some url links which gives step by step information to enable users to change their htpasswd password.
I will be waiting for your kind reply.

Correct.


No. The shell script in the post is "/var/www/.htpasswd.sh" but I would advice you to place it as /usr/local/bin/htpasswd.sh instead.


* First of all you do not use root to SSH into the machine! If you do that currently, correct that mistake before doing anything else: create an unprivileged user, set it up to use 'sudo', then reconfigure /etc/ssh/sshd_config to deny root access.
** Secondly they talk about adding accounts for unprivileged users to the web server user. I would advice against that as the Apache web server user should not be allowed a functional shell and SSH access. Instead set up sudo for any unprivileged user to execute '/usr/local/bin/htpasswd.sh' as user httpd (or user www-data, www or apache depending on your distro). You set the command="/usr/bin/sudo -u httpd /usr/local/bin/htpasswd.sh" part in each unprivileged users account on the server. So for example for user "unspawn" open up /home/unspawn/.ssh/authorized_keys and find the key
and change it to . That also explains the ""AAAA... user@host"" part (it's the SSH key). Note when adding the command this key can not be used for anything else anymore.


mkpasswd is in the "expect" package.

You might also want to look into Usermin for this purpose. The "Custom Commands" module may fit the bill (i.e. point it to a script which accepts a password argument).