Red Hat DIRECTORY SERVER 2.0 - GATEWAY Manual de usuario descargar pdf (Pagina 78)

Chapter 10. Access control

What we need to know is how to set up the server so that userids and passwords are

known to the server and certain pages are ﬂagged as requiring user authentication.

LoadModule auth_module modules/mod_auth.so

Figure 10-4. httpd.conf: Loading the user authentication module

To start with, we will need a module: auth_module. We will then specify a mecha-

nism to identify users and ﬁnally specify policies regarding which identiﬁed users

are allowed access.

So, ﬁrst we need to identify users. This comes in two parts: the ﬁrst involves setting

up userids and passwords at the server end and the second involves telling the web

server to use these for identifying users.

The userids and passwords are not the same as the login IDs. Indeed, they will often not

be login IDs at all. They are maintained with a distinct ﬁle which we will need tools

to manipulate. This ﬁle is traditionally called htpasswd though we have ﬂexibility

regarding its name and location. A server administrator must also decide whether

to have a single password ﬁle for the whole server or one per virtual host (or even

for each subtree of the virtual host he wants to restrict access to). Granting a user a

userid and password noes not autmatically assign that userid rights to access pages

(though we can conﬁgure policy so that it does). In this example, we will work with

a single userid/password ﬁle for both virtual hosts. It’s a shortcoming of the Unix

permissions model that we cannot specify that a ﬁle should be writable by members

of either one group or another. We will use a webadmin group to control access to

this ﬁle. Note that the ﬁle should not be servable by the web server.

# groupadd -r webadmin

# usermod -G chalk,cheese,webadmin rjd4

# mkdir /etc/httpd/access

# chgrp webadmin /etc/httpd/access

# chmod g+ws /etc/httpd/access

# ls -ld /etc/httpd/access

drwxrwsr-x 2 root webadmin 4096 Apr 14 11:26 /etc/httpd/access

# touch /etc/httpd/access/passwd

# chmod g+w /etc/httpd/access/passwd

# ls -l /etc/httpd/access/passwd

-rw-rw-r-- 1 root webadmin 0 Apr 14 11:39 /etc/httpd/access/passwd

Figure 10-5. Creating a userid/password ﬁle and adding users

We make the directory writable rather than just the individual ﬁles to make life easier

for programs that move ﬁles about within directories for backing up.

$ htpasswd -m /etc/httpd/access/passwd rjd4

New password: password

Re-type new password: password

Adding password for user rjd4

$ cat /etc/httpd/access/passwd

rjd4:$apr1$kEDyP/..$n0DCjezTD.T.C.1s3td6..

Figure 10-6. Setting up users in the password ﬁle

htpasswd’s -m option causes the password ﬁle to use an MD5 password encod-

ing for the password. This is better than the traditional (and default) crypt algo-

rithm. This makes the password much harder to reverse engineer from the ﬁle but

all userid/password schemes are vulnerable to disctionary attacks and it is impor-

tant that the password ﬁle not be downloaded to make this attack much harder.

1 2 ... 73 74 75 76 77 78 79 80 81 82 83 ... 95 96

Comentarios a estos manuales

Sin comentarios

Red Hat DIRECTORY SERVER 2.0 - GATEWAY Manual de usuario Pagina 78

Comentarios a estos manuales

Relacionado con productos y manuales para Servidores Red Hat DIRECTORY SERVER 2.0 - GATEWAY