Discussion:
OpenBSD's HTTPD troubles AGAIN - Can't find any man page that explains how to properly set up directory authentication.
t***@protonmail.com
2017-09-15 21:50:32 UTC
Permalink
Hello,

Can someone with knowledge of OpenBSD's HTTPD please tell me how to properly set up a password protected directory and where you found ALL of the information to do so. I am really struggling to find enough information within the man pages to even make it work corrctly. I want to love the man pages, I really do, but.. Yeah, you get the drift - frustration.

Thanks and regards.

########################################################################

p.s. Here is everything I've tried so far which doesn't work.......................

# I found this authentication stuff a year ago some place, no idea where the person got these instructions from but I'm sure they said it was meant for the new httpd in OpenBSD. Looks like Apache stuff to me? That right? Anyway, it works kinda, except a never ending loop of putting user/password in through the browser and no access - GARBAGE.

$ cat /var/www/htdocs/download/htpasswd
AuthType Basic
AuthName "Restricted Access"
# This is relative to the chroot but my chroot is disabled so place absolute path
AuthUserFile /var/www/htpasswd
Require user admin

$ chown www /var/www/htdocs/download/htpasswd
$ chmod 640 /var/www/htdocs/download/htpasswd

# Create the username:hashed pass:
$ htpasswd /var/www/htpasswd admin

$ chmod 640 /var/www/htpasswd

# This is placed within my httpd.conf :
authenticate with htpasswd

# Reload all changed to httpd.conf
rcctl reload httpd.conf

# Test access
-> Never ending authentication scre
Wiremu Demchick
2017-09-15 22:08:04 UTC
Permalink
You may find this helpful:
https://marc.info/?l=openbsd-arm&m=149507490119056&w=2
Post by t***@protonmail.com
Hello,
Can someone with knowledge of OpenBSD's HTTPD please tell me how to properly
set up a password protected directory and where you found ALL of the
information to do so. I am really struggling to find enough information
within the man pages to even make it work corrctly. I want to love the man
pages, I really do, but.. Yeah, you get the drift - frustration.
Thanks and regards.
[snip]
Bryan Harris
2017-09-15 23:41:11 UTC
Permalink
I got curious so I looked at the man page. It seems to me one could authenticate a location i.e. folder/directory based on this part.
A location section may include most of the server configuration rules except alias, connection,hsts, listen on, location, tcp and tls.
V/r,
Bryan




Sent from my iPhone
https://marc.info/?l=openbsd-arm&m=149507490119056&w=2
Post by t***@protonmail.com
Hello,
Can someone with knowledge of OpenBSD's HTTPD please tell me how to properly
set up a password protected directory and where you found ALL of the
information to do so. I am really struggling to find enough information
within the man pages to even make it work corrctly. I want to love the man
pages, I really do, but.. Yeah, you get the drift - frustration.
Thanks and regards.
[snip]
t***@protonmail.com
2017-09-16 12:35:59 UTC
Permalink
You are a legend. Got it working with that!

Thank you so much, saved me a bigger headache!

p.s. Still, looking at the man page that really is not obvious where it mentions [realm] and [htpasswd]. I read it totally differently, that the htpasswd is a location to a file and not just a declaration to look for a file in the current dir named htpasswd etc. I wonder where did "Secure Area" came from too, 'realm' is mentioned but I had not a clue what it even was. I still don't. I cannot stand the man page for httpd.conf - so much frustration for me.
-------- Original Message --------
https://marc.info/?l=openbsd-arm&m=149507490119056&w=2
Post by t***@protonmail.com
Hello,
Can someone with knowledge of OpenBSD"s HTTPD please tell me how to properly
set up a password protected directory and where you found ALL of the
information to do so. I am really struggling to find enough information
within the man pages to even make it work corrctly. I want to love the man
pages, I really do, but.. Yeah, you get the drift - frustration.
Thanks and regards.
Michael Hekeler
2017-09-18 19:24:57 UTC
Permalink
Am Sat, 16 Sep 2017 08:35:59 -0400
Post by t***@protonmail.com
You are a legend. Got it working with that!
Thank you so much, saved me a bigger headache!
p.s. Still, looking at the man page that really is not obvious where
it mentions [realm] and [htpasswd].
Whats wrong with the manpage?

[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be
readable by the www user. Use the no authenticate directive
to disable authentication in a location.
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be readable
by the www user. Use the no authenticate directive to disable
authentication in a location.
Post by t***@protonmail.com
I read it totally differently, that the htpasswd is a location to a
file and not just a declaration to look for a file in the current dir
named htpasswd etc.
The htpasswd IS a file:
location "/*" { authenticate with "/htpasswd" }

In this example the passwordfile is named "htpasswd" and is in /var/www
(Note that httpd(8) is chrooted by default)
Post by t***@protonmail.com
I wonder where did "Secure Area" came from too,
'realm' is mentioned but I had not a clue what it even was. I still
don't.
From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced
by HTTP/1.1):
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL of the
server being accessed, defines the protection space. These realms allow
the protected resources on a server to be partitioned into a set of
protection spaces, each with its own authentication scheme and/or
authorization database. The realm value is a string, generally assigned
by the origin server, which may have additional semantics specific to
the authentication scheme.

In short, pages in the same realm should share credentials. If your
credentials work for a page with the realm "My Realm", it should be
assumed that the same username and password combination should work for
another page with the same realm.
Post by t***@protonmail.com
I cannot stand the man page for httpd.conf - so much
frustration for me.
If you have concrete questions then ask.
My experience is that someone on the list will try to help.
But by now: ... what is your question?
Allan Streib
2017-09-18 19:31:59 UTC
Permalink
Post by Michael Hekeler
Whats wrong with the manpage?
[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be
readable by the www user. Use the no authenticate directive
to disable authentication in a location.
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be readable
by the www user. Use the no authenticate directive to disable
authentication in a location.
Post by t***@protonmail.com
I read it totally differently, that the htpasswd is a location to a
file and not just a declaration to look for a file in the current dir
named htpasswd etc.
location "/*" { authenticate with "/htpasswd" }
In this example the passwordfile is named "htpasswd" and is in /var/www
(Note that httpd(8) is chrooted by default)
I think he meant possible confusion over whether "htpasswd" is the
literal/only name of the file, or a stand-in name for "any file name I
choose" e.g. if my password file was named "foo" then the directive
would be

authenticate [realm] with foo.

I could see it being interpreted that way, anyway.

Allan
t***@protonmail.com
2017-09-18 19:37:23 UTC
Permalink
Yeah, I'm not great at explaining stuff sometimes - but your spot on.

Regards
Post by Allan Streib
Post by Michael Hekeler
Whats wrong with the manpage?
[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be
readable by the www user. Use the no authenticate directive
to disable authentication in a location.
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be readable
by the www user. Use the no authenticate directive to disable
authentication in a location.
Post by t***@protonmail.com
I read it totally differently, that the htpasswd is a location to a
file and not just a declaration to look for a file in the current dir
named htpasswd etc.
location "/*" { authenticate with "/htpasswd" }
In this example the passwordfile is named "htpasswd" and is in /var/www
(Note that httpd(8) is chrooted by default)
I think he meant possible confusion over whether "htpasswd" is the
literal/only name of the file, or a stand-in name for "any file name I
choose" e.g. if my password file was named "foo" then the directive
would be
authenticate [realm] with foo.
I could see it being i
t***@protonmail.com
2017-09-18 19:34:43 UTC
Permalink
Thanks for the reply. This issue was worked out already thanks to another user on the misc board. I appreciate the info on the RFC, I never looked that up - I never even thought to tbh as was just trying to do it from the man page. Well, who knows - I just read that section of the man page quite differently - a rewritten version from another guy made me understand it properly. Some man pages are just confusing and some are clear and simple, with excellent examples to explain something. Anyway, that is some good info on the realm stuff - I'll look into that.

Regards.
Post by Michael Hekeler
Am Sat, 16 Sep 2017 08:35:59 -0400
You are a legend. Got it working with that!
Thank you so much, saved me a bigger headache!
p.s. Still, looking at the man page that really is not obvious where
it mentions [realm] and [htpasswd].
Whats wrong with the manpage?
[no] authenticate [realm] with htpasswd
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be
readable by the www user. Use the no authenticate directive
to disable authentication in a location.
Authenticate a remote user for realm by checking the
credentials against the user authentication file htpasswd.
The file name is relative to the chroot and must be readable
by the www user. Use the no authenticate directive to disable
authentication in a location.
I read it totally differently, that the htpasswd is a location to a
file and not just a declaration to look for a file in the current dir
named htpasswd etc.
location "/*" { authenticate with "/htpasswd" }
In this example the passwordfile is named "htpasswd" and is in /var/www
(Note that httpd(8) is chrooted by default)
I wonder where did "Secure Area" came from too,
"realm" is mentioned but I had not a clue what it even was. I still
don"t.
From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL of the
server being accessed, defines the protection space. These realms allow
the protected resources on a server to be partitioned into a set of
protection spaces, each with its own authentication scheme and/or
authorization database. The realm value is a string, generally assigned
by the origin server, which may have additional semantics specific to
the authentication scheme.
In short, pages in the same realm should share credentials. If your
credentials work for a page with the realm "My Realm", it should be
assumed that the same username and password combination should work for
another page with the same realm.
I cannot stand the man page for httpd.conf - so much
frustration for me.
If you have concrete questions then ask.
My experience is that someone on the list will try to help.
Loading...