LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-06-2004, 06:17 PM   #1
AZDAVE
Member
 
Registered: Aug 2003
Posts: 82

Rep: Reputation: 15
setting up password protected web forms on an apache web server


Good day,
There has been some talk about setting up some password protected forms on our web server. This seems a bit scarey. Before I start into the pro's and con's of this idea, I wanted to know if it was possible and where I could go to get some instructions on how to hande this. I am running an apache web server . Has anybody performed this on a web server? A little help on this would be nice. Thank You.
 
Old 07-06-2004, 09:22 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Doing something like htaccess is pretty straight forward to setup. Once you set it up, a user would navigate to the page with the web form on it, before being granted access to the form, a standard username/password combo-box pops up. Once the user authenticates, then the page loads and they can access the web form. There is a pretty good howto on basic Apache authentication here:

http://httpd.apache.org/docs-2.0/howto/auth.html

More complex authentication mechanisms, such as db authentication are available with Apache as well.
 
Old 07-07-2004, 10:31 AM   #3
AZDAVE
Member
 
Registered: Aug 2003
Posts: 82

Original Poster
Rep: Reputation: 15
Thanks... I don't know the security risks involved but it seems that it would open up some holes . Do you know of any security issues with .htacess? I really don't want to setup accounts on the server for people to access a form. The only users I have setup are webmasters and they only have access to their web sites. Thanks again for any ideas you can give me.
 
Old 07-07-2004, 01:03 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Basic htaccess transmits the passwords in plain-text which is not particularly great. A step up from that would be to use digest mode, where an md5 hash of the password is generated and transmitted over the internet rather than the password itself. The downside of that, is that not all browsers support md5 encryption (all of the major ones like IE, Netscape, Mozilla, Opera, etc do have support). To increase security even further, you could use https.

If you want to put the web form on serious lock down and get draconian for whatever reason, you could use radius authentication or a mandatory VPN.

There are also various third-party Apache modules available that support other authentication types like Kerberos, LDAP, PAM, etc.

Here is a good overview of the basic Apache authentication types and the security implications of each:
http://httpd.apache.org/docs/howto/auth.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
setting up a web server using apache Whatshisface Linux - Newbie 14 12-11-2004 04:01 PM
Need help setting up Apache web server thegreatstoney Linux - Newbie 11 09-13-2004 09:10 PM
Setting up a new Apache Web Server zenaphex Linux - Software 2 06-06-2004 08:34 PM
Setting up an Apache Web server with mySQL jasonX Linux - General 2 03-12-2004 01:11 PM
Password Protected web folders wolftechmn Linux - General 1 12-14-2003 01:58 AM


All times are GMT -5. The time now is 11:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration