I installed .htaccess in our members directory,

Example -

AuthUserFile /home/domain/html/members/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
AuthName "Domain [Members ONLY]"

<LIMIT GET POST>
require valid-user
</LIMIT>

To create a password, I have this

$passfile = "/home/domain/html/members/.htpasswd";

srand( time() ^ ($$ + ($$ << 15)) );
@salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
$salt = join '', @salt_chars[rand 64, rand 64];
$encrypted = crypt($in{password}, $salt);

open (pass, ">>$passfile");
flock pass, 2;
print pass "$in{username}:$encrypted";
close(pass);

And yet, the password dialog box shows up, the passwords are written to the file but no password ever works, always get a 401 error message.

Any ideas?

Try replacing.....

$encrypted = crypt($in{password}, $salt);

open (pass, ">>$passfile");
flock pass, 2;
print pass "$in{username}:$encrypted";
close(pass);


with.....

$encrypted = crypt($in{'password'}, MM);
open (pass, ">>$passfile");
flock pass, 2;
print pass "$in{'username'}:$encrypted";
close(pass);

Paul Wilson.
Installations:
http://www.wiredon.net/gt/

$encrypted = crypt ($in{'password'}, salt());
sub salt { return join '', ('.', '/',0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64] };

'Infinitely' more secure than seeding with MM.

Inbuco - Change:
print pass "$in{username}:$encrypted";

To:
print pass "$in{username}:$encrypted\n";



Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

I fixed the salt issue but again, the issue is not with security but rather that it's not working.

Is their anyway to test the .htaccess so that you can make sure it's seeing the content of .htpasswd?

Does this mean anything? I noticed that on the server, the following modules are installed,

Crypt::Blowfish and Crypt::DES

Could this be doing something to the crypt command?

Could it be something in httpd.conf?

Any advice?

Hi:

Did you edit the script to add \n (new line) to the end of each username:password entry?



Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Yes.

Even to start, I just had 1 password and username in the file and still doesn't work.

Any ideas?

Hi:

Could be so many things. Are you hosted on a Cobalt RAQ box? And the Crypt modules you list are not referenced in your code so they can be ignored. Post the username:encrypted_password entry exactly from the password file, along with the password unencrypted.



Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Not a RAQ system, strictly Unix.

I have done this many times on many servers, that's why this is really bothering me.

Encrypted
Test@test.com:MMkPN1P3QPnrw

Not Encrypted
Test@test.com:Test

See anything wrong?

Is their a way to make sure that the .htpasswd file is being read?

Hi:

The username and password are valid as I tested them on my server. Possible problems:

1. Error in .htaccess file - wrong path to password file or typo?
2. You are not entering username and/or password correctly. It is case-sensitive - Test and not test.
3. .htaccess not allowed in the directory you are using it.



Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Thanks for all the help, but . . .

> 1. Error in .htaccess file - wrong path to password file or typo?

The path is correct. We have multiple servers and just moved over the exact files and locations and it worked on the second server but we need it working on this server, so just as it worked on yours, it should work on ours but does not.

> 2. You are not entering username and/or password correctly. It is case-sensitive - Test and not test.

Tried that.

> 3. .htaccess not allowed in the directory you are using it.

Now that's why I don't understand.

The dialog box comes up with the correct information so I assume it works.

Is their a way to make sure that the server is seeing the .htpasswd file?

This is a dedicated server so I can do what needs to be done, any ideas?

Hi:

If .htaccess and password file okay, then there is another (server configuration?) issue - one I cannot help you with. I'd suggest that you contact your web host.


Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Well, it took days of work and $100.00 in fees but the hosting company got back to me and said that the file needs to be in the following format.

AuthName "Members ONLY"
AuthType Basic
AuthPAM_Enabled off
AuthUserFile /home/domain/html/members/.htpasswd
require valid-user

Can anyone explain why this is?

Also, do they have a right to charge us for this?

I don't think they should charge you. It was them that supplied too little information about the .htaccess protection, and even my password generator script could have generated those files for you with no problems at all. Don't see how they can expect you to pay $100, and lots of your time, for something so simple...

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

Youradds......your scripts wouldn't have solved that problem at all.

Inbuco - If your host charges $100 to tell you how to use .htaccess then I suggest you find a new host. That is pretty disgraceful. Why did it take them 2 days to come up with those 10-15 lines?



Paul Wilson.
Installations:
http://www.wiredon.net/gt/

The 'AuthPAM_Enabled off' line is usually used on Cobalt boxes which is why I asked earlier if you were. My apologies! I should have got you to add that line and try it. Unless it is specifically stipulated in your hosting agreement, I wouldn't pay the $100 - although you would probably be kicked off. But it may be best as I'd recommend finding a new host. To charge for this (especially $100) is insane! Otherwise, prepare to open your wallet again and again.


Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Hi,

Im on a RAQ4 and I don't need that line in my .htaccess file!


Paul Wilson.
Installations:
http://www.wiredon.net/gt/

Hi Paul:

I didn't say all but 'usually' it is the case - at least the few dozen RAQ (RAQ3 mind you) boxes I've done installations on that involved setting up .htaccess.


Dan

LotusLand
Vancouver, BC, Canada
Top Ranked City in World for Quality of Life

Why wouldn't my 'Ace Password' (http://www.ace-installer.com/acepassword.php) have sorted that out? Were you refering to the admin mod i wrote for Links 2?

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

Well obviously it will work now you added the extra line of code after reading this thread.

You may want to correct the syntax though

if ($FORM{cobalt} ne 1) {
$cobalt = ""
} else {
$cobalt= "AuthPAM_enabled off"
}
;

That will produce an internal server error!!



Paul Wilson.
Installations:
http://www.wiredon.net/gt/

I resent that. That line was added several months ago to my script...so don't accuse me of 'adding' it even though it was there already a long time ago....well before this post....

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

And no, it doesn't produce an IS 500 Error...

Andy

webmaster@ace-installer.com
http://www.ace-installer.com

I think you will find it does.

That code will produce an internal server error.



Paul Wilson.
Installations:
http://www.wiredon.net/gt/

Well, actually, it seems that ';' may be ignored when only a single action is being peformed within each segment of an if/else statement.

Run this script:
This works fine, however, ignoring ';' will potentially cause problems...

Add this:
After this:
and run the program again.

Happy Coding,

--Drew
http://www.FindingHim.com

Hmm I always thought the ; had to be there.

I see what you are saying though but it still isn't the best way of writing it is it?


Paul Wilson.
Installations:
http://www.wiredon.net/gt/

My point exactly. It appears acceptable, yet is definately bad practice, IMHO. As in my second example above, if you were to add another line, Perl will try to interpret multiple statements as one and will produce an error.

Happy Coding,

--Drew
http://www.FindingHim.com