Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Rep:
Password Protect Folders
Hi all
Its been some time since I've protected a folder on my server, it seem not to work for me
I've been at it for hours, The protect box pops up, I put in my user and pass and I get 500 error
logs say AH01620: Could not open password file: /etc/apache2/.htpasswd
I've tried all types of ways and viewed many links, even went back over my own records and I just cant seem to get it going.
Can any one point me to a link that will explain and work, I'm using Ubuntu 14.4 server
Quote:
sample of .htaccess file below, use note pad and save as ( .htaccess )
seems simple enough, thou it don't work with phpmyadmin folder
cheers
You can use phpmyadmin's config file in order to password protect it.
Open config.inc.php and add/edit/comment out the following:
Code:
/*
* This is needed for cookie based authentication to encrypt password in
* cookie
*/
$cfg['blowfish_secret'] = 'Just put some gibberish in here'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
/*
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Original Poster
Rep:
Cheers for that bathory
Is there another way other than using cookies, it's just I run Ccleaner every night and it remove's my cookie's will that make a difference ?
Couple of years ago I used a .htaccess with IP, my server sits right next to me..
In addition to phpmyadmin's built-in security, I also put it behind an apache auth security, so that the first page requires web login before even presenting the phpmyadmin login.
And no, removing cookies won't affect phpmyadmin's security, but they must be enabled in the browser for it to work. The software creates new session cookies every time, and (I think) removes them on logout anyway.
Oh! for
Quote:
Could not open password file: /etc/apache2/.htpasswd
...check the permissions on the /etc/apache2/.htpasswd -- my equivalent is owned by root and is chmod 644...although the .htpasswd file should be in the folder being protected, which wouldn't usually be in /etc/apache2, but in a folder in the DocumentRoot of the web server.
Is there another way other than using cookies, it's just I run Ccleaner every night and it remove's my cookie's will that make a difference ?
Couple of years ago I used a .htaccess with IP, my server sits right next to me..
cheers
As scasey said, the cookies expire when you leave phpmyadmin, so there is no problem if you delete them.
You can replace in auth_type 'cookie' with 'http', resulting in http authentication but using the credentials of mysql users.
AFAIK if you want to use the webserver http authorization through .htaccess and a password file, you must use auth_type 'config' and supply also in config.inc.php the mysql root/password in plain text!!!
An even stronger level of protection can be obtained by using mod_ssl "in reverse," so that the supplicant must himself possess a properly-signed certificate in order to access the location(s).
AFAIK if you want to use the webserver http authorization through .htaccess and a password file, you must use auth_type 'config' and supply also in config.inc.php the mysql root/password in plain text!!!
Not exactly. I'm suggesting the auth_config in apache...nothing to do with anything php-based.
The password is encrypted and stored in a file not directly accessible from the web...with the location in the .htaccess file -- or, better, in the httpd.conf file. See the apache documentation.
Not exactly. I'm suggesting the auth_config in apache...nothing to do with anything php-based.
The password is encrypted and stored in a file not directly accessible from the web...with the location in the .htaccess file -- or, better, in the httpd.conf file. See the apache documentation.
You misunderstood me.
What I've said to OP, is that if he wants to use the apache way, i.e. protect the folder with htpasswd, he must then supply the username/password of the mysql user in the phpmyadmin config file in plain text.
Of course the apache password is encrypted by htpasswd, but the mysql password is written in plain text in config.inc.php!
You misunderstood me.
What I've said to OP, is that if he wants to use the apache way, i.e. protect the folder with htpasswd, he must then supply the username/password of the mysql user in the phpmyadmin config file in plain text.
Of course the apache password is encrypted by htpasswd, but the mysql password is written in plain text in config.inc.php!
Regards
I'm sorry...I don't agree. The mysql password is stored within the mysql database...encrypted. There is no userid or password in config.inc.php...at least not in my very secure installation of the tool.
My configuration uses "the apache way," as you've described, with a userid and encrypted password in a file in /usr/webauth (which directory and file is defined in the .htaccess file in the phpmyadmin directory). It is not the same userid or password that mysql uses (although it could be)...it is merely an apache auth to require login to even see the login page for phpmyadmin...it doesn't log into mysql automatically.
The OP commented that it didn't work with the phpmyadmin folder. I'm saying it should. The OP needs to review the Apache documentation to which I previously posted a link.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.