Managing Password Protected Directories

Restricted areas of your web site can be very useful in many ways. You can set up groups of users who have password access to sensitive data. For example, your sales force might want pricing information, but you don't want your competitors to see it. That's where Restricted Areas come in. When you try to go to a certain part of your site, you'll be prompted by a dialog box like this:



Simply enter in your name and password, and you can access the data. If not, you are given an error message. This password protection is a function of the server software, and will prompt users for a name and a password whenever they try to gain access to certain areas within your site. If they do not enter a proper name and password, then it will not let them view the information stored in those directories.

Will I be able to perform secure transactions?
The brief answer is NO.  There are two forms of security that you can implement on your web site. This area of the VWS site concerns itself only with restricting access, however, Primus also offers technology which allows for safe online transaction.  Please review the text below to become familiar with the differences between these two forms of security.

Secure Transactions
The goal of secure transactions is to encrypt all communications between the user and the web site, so that it is impossible for a third-party to view the data being sent. The method of encryption most commonly used is called Secure Socket Layers (SSL) encryption. The URL used for secure transactions typically starts with https: rather than the normal http: . A standard application for secure transactions would be to take credit card orders through a web site, since you would definitely not want a third-party intercepting a user's credit card information.

Restricting Access
The goal of restricting access is to maintain control over who accesses your site, or an area of your site. This is accomplished by restricting an area of your site to a set of users who you have pre-defined, or to a set of IP addresses, or both. If you wish to only allow a certain set of users to access an area of your web site, then you need to associate a password file with that area. The password file consists of userids and their associated passwords. Whenever someone tries to access the controlled area, they are prompted for a userid and password. If the userid and password do not match any of those in the password file, then the person is denied access. This could be useful if you are building a new area of your site, and only want the developers of the new area to have access until the area is complete. Another use might be to restrict access to an area of your site to employees of your company, or to only employees working on a certain project.

Administration Area
The directory-protection administration tool has been integrated into the https://myaccount.primustel.ca/ customer portal. Please login to the portal to access this tool. It can be found under the "Advanced Records" tab under your VWS record.

Restricting Access Frequently Asked Questions (FAQ)

1. How does it work ?
Restricted Areas works by making directories on the server password protected. When you enter a password protected area, you are prompted with a dialog box to enter your user name and password. The system then allows you access to the information kept in that directory. Our system allows you to assign any number of users to any number of directories.

2. Does this mean that I can restrict FTP access too ?
No. This is only for restricting web access to your directories. FTP continues to be accessed through the same login and password as before. This is not a replacement for Anonymous FTP.

3. Why doesn't it ask me for my password again ?
Good question. Your browser actually caches your user name and password information and will only ask once per session. So if you don't restart your browser between surf sessions, it will seem that the password protection doesn't work. This is not the case. Simply restart your browser and it will ask again for your login information.

4. Can I import users ?
Yes, you can import users from a text file. You'll want to use the following format, followed by a 'return'. Or simply, one entry per line in your text file.

login name:password

Bob Smith:098f09
John Smith:23lk4
Joe Jones:0928mlk390
etc... etc.. etc..

5. Can a user change his/her own password ?
No. It is up to the site administrator to update the user names and passwords. Remember that since this feature requires the login name and password for the web account, security would be compromised if you allow your users to set their own information.

6. Does this mean it is safe to transmit credit card info ?
No. The information contained in this area is still being transmitted via web over non-secure http protocols. In order to transmit information like credit cards securely, you must be running a secure server. Restricted Areas is not a secure server.

7. How is this different from a secure server ?
A secure server encrypts data between the server and the user. This information uses an encryption key on the server to make the transmission 'secure' between these two points. This service simply restricts web access to certain directories on the web server to visitors of the web site. The information transmitted is NOT secure when being transmitted.

8. Are my names and passwords stored in a safe place ?
By default, the .htpasswd and .htgroup files are stored IN the directory you are protecting. This can be a security risk.

9. Does this protect Primus administrators from entering ?
Primus continues to have access to all accounts hosted on our server for full enforcement of our policies. Restricted Areas will not prevent Primus staff from viewing your content.

10. Does this work with all browsers ?
We've tested it with a number of older browsers as well as all the new browsers from Netscape and Microsoft. Everything appears to work fine. If you run up against browser problems when using this service, let us know so we can post it here.

Tutorial

1. Overview
   When creating your site for viewers of the world, you may not want everyone to be able to see everything on your site. To make this possible, we have created a Restricted Area administration utility. This utility will allow you to create a database of names and passwords, and then make certain directories accessible by only certain people. This password protection is a function of the server software, and will prompt users for a name and a password whenever they try to gain access to certain areas within your site. If they do not enter a proper name and password, then it will not let them view the information stored in those directories. Protecting an area of your web site is relatively easy. You simply need to create an Access Control File in a directory of your web site in order to control that directory and ALL directories underneath it. The Access Control Files on Primus' web servers are called HTAccess files.
   
2. Protection Strategy
   When protecting certain areas of your site, you need to know a little of how it works before you start. Let's pretend that you want to protect a directory called "privatestuff". When you protect it, you also automatically protect any directories within that directory. If you need to have a directory within the "privatestuff" directory accessible by a different group of people, then you need to set specific protection for the additional directory.Another thing to beware of is if you restrict an area that has images in it, make sure that some of your other pages do not try to load those images, or the user will be prompted with the password dialog box.
   
3. Protecting Directories
   Once you are ready to protect a directory on your site, enter the myaccount.magma.ca portal. Enter your user name and password to log into the myaccount system. You can find the tool to protect your website under “Advanced Records”, then select your VWS, click on “Tools” and click on “Password Protected Directories”. You will then be presented with a form with three main options:
   • Create a New HTAccess File
   • Edit an existing HTAccess File
   • Delete an HTAccess File
     
4. Creating HTAccess Files
   In the “Create New HTAccess File” drop box, you have access to all directories on your website that do not already have a HTAccess file setup. To create a new HTAccess file, select the directory you wish to protect and click “Create New”. Enter a unique name for the protected area. You can specify whatever you like here as long as it is a unique name among all of your protected directories. The clients' browser will use this name to store the user's userid and password for the user's session. You will also have the ability to select which users have access to the protected directory.
   
5. Editing HTAccess Files
   In the “Existing HTAccess Files” drop box, you have access to all directories on your website that already have a HTAccess file setup. Select the directory you wish to change the HTAccess settings for and click “Edit File”. You will also have the ability to select which users have access to the protected directory.
   
6. Deleting HTAccess Files
   In the “Existing HTAccess Files” drop box, you have access to all directories on your website that already have a HTAccess file setup. Select the directory you wish to change the HTAccess settings for and click “Delete File”.
   
   
7. Creating & Editing Users
   Once you have either created a new HTAccess file, or selected a HTAccess file to edit, you will be presented with the option to modify the usernames that will have access to enter the protected directory. You MUST add at least one user to your password file to make the directory protection work. To add, edit or delete users, click on the "Edit HTPassword File" button.
   Add New User : Enter the userid and password and then click "Add User".
   Edit A  User : Select the userID from the “Existing User“ dropdown box and click “Edit User”. You will have the ability to change the password associated to the UserID.
   Delete A User : Select the userID from the “Existing User” dropdown box and click “Delete User”. The userID will be deleted.

   Note : When you add/delete/modify users, the changes to your .htpasswd file will be shown at the bottom of the screen.

8. Importing Users
   
   If you have a large list of users, then it is rather difficult and tedious to enter the users one by one. In this case, you can use the "Import Users" button on the "Edit HTPasswd File" page. The resulting form will allow you to import a large number of users into the password file by either:
   -> Specifying a file which contains the list of users and their passwords
   -> Providing the list of userids and passwords in a text area of the form

   The userids and passwords are expected to be given in pairs, separated by a colon. You will also have the ability to specify your own delimiting character when importing the list of users.

   Example:
   userid1:password1
   userid2:password2
   
   When importing a list of users, you will have the ability of specifying on of the following options.
   -> Merge with existing HTPassword file
   -> Replace existing HTPassword file

   If you choose the "Merge" option to import the users, then the new userids and passwords will be added to the existing users in the HTPasswd file. If one of the new userids is the same as one of the already existing userids, then the new password will be used. If you use the "Replace" option to import the users, then the new list of userids and passwords will completely replace the contents of the existing HTPasswd file.

   If the passwords that you are supplying in the import file, or through the form's text area, are already encrypted passwords, then simply click the check box labelled "Passwords are already encrypted".

   File
   Create a text file filled with names and passwords in the following format:
   name:password
   name2:password2
   
   There must be a single pair on each line separated by a delimiting character.
   Click the browse button and locate the text file containing your users on your computer.
   Click the "Upload File" button to import your users.

   Form
   Type in the userids and passwords into the text area in the following format:
   name:password
   name2:password2
   
   Once you have entered your users, click on "Import User List".

9. Creating Groups
   To add a group, you will click on the "Add HTGroup File" button on the main screen, then click on the "Edit HTGroup File" button to setup group names. The next screen that appears will allow you to either:
   • Add a new group - simply enter the group name and then click "Add Group".
     
   • Edit a group - select the group name in the dropdown list and click the "Edit Group" button.
     
   • Delete a group - select the group name in the dropdown list and click the "Delete Group" button.

   Note : When you add or delete groups, the changes to your .htgroup file will be shown at the bottom of the screen.

10. Assigning Users to Groups
    After creating a new group, or editing an existing one, you need to specify which users should belong to the group. You can do this by selecting the group in the drop down and clicking the "Edit Group" button. Once you are on the "Users <-> Group" screen, you will be presented with a list of ALL users specified in your .htpasswd file. At this point, you can either move a user into the group, or out of the group by highlighting the user name and then selecting one of the arrow buttons. As you move a user into or out of a group, your selection will automatically be saved.

     

11. Securing Directories Manually
    This should help you set up protection on a directory via the Basic HTTP Authentication method. This method also uses the standard plain text password file. So let's suppose you want to restrict files in a directory called turkey to username pumpkin and password pie . Here's what to do:

     

    Create a file called .htaccess in directory turkey that looks like this:
    
    

    	AuthUserFile /magma/users/u?/youruserid/security/.htpasswd AuthGroupFile /dev/null
    	AuthName ByPassword
    	AuthType Basic
    	<Limit GET>
    	require user pumpkin
    	</Limit>

    Notes:

    • replace u? (above) with the user directory assigned to your home account by Primus
    • replace youruserid with your account userid assigned by Primus
    • you will need to create the security directory in your home directory - to do this, you can use the "Make Directory" feature in your FTP client or you can use the "mkdir" command from the UNIX prompt
    Also note that in this case there is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").

    AuthName can be anything you want. The AuthName field gives the Realm name for which the protection is provided. This name is usually given when a browser prompts for a password, and is also usually used by a browser in correlation with the URL to save the password information you enter so that it can authenticate automatically on the next challenge. Note: You should set this to something, otherwise it will default to ByPassword, which is both non-descriptive and too common.

    AuthType should be set to Basic , since we are using Basic HTTP Authentication.

    
    Create the password file /magma/users/u?/youruserid/security/.htpasswd
    The easiest way to do this is to use the htpasswd program available on Primus' shell server. You will need to telnet into the server hosting your web site). Virtual Web Server customers will telnet to www.yourdomain.xxx Then, do this:

    	htpasswd -c security/.htpasswd pumpkin

    Note: The above command assumes that you are in your home directory. Alternatively, you could 'cd' into the security directory and then just enter:
    

    	htpasswd -c .htpasswd pumpkin

    Type the password -- pie -- twice as instructed.
    Check the resulting file to get a warm feeling of self-satisfaction; it should look like this:

    	pumpkin:y1ia3tjWkhCK2

    That's all. Now try to access a file in directory turkey -- your browser should demand a username and password, and not give you access to the file if you don't enter pumpkin and pie . If you are using a browser that doesn't handle authentication, you will not be able to access the document at all.
    
    Multiple Usernames/Passwords
    If you want to give access to a directory to more than one username/password pair, follow the same steps as for a single username/password with the following additions: Add additional users to the directory's .htpasswd file. Use the htpasswd command without the -c flag to add additional users; e.g.:
    
    

    	<span class="style11">htpasswd .htpasswd peanuts
    	htpasswd .htpasswd almonds
    	htpasswd .htpasswd walnuts</span>

    Create a group file.
    Call it /magma/users/u?/youruserid/security/.htgroup and have it look something like this:

    my-users: pumpkin peanuts almonds walnuts

    ... where pumpkin , peanuts , almonds , and walnuts are the usernames.

    Then modify the .htaccess file in the directory to look like this:

    	AuthUserFile /magma/users/u?/youruserid/security/.htpasswd
    	AuthGroupFile /magma/users/u?/youruserid/security/.htgroup
    	AuthName ByPassword
    	AuthType Basic
    	<Limit GET>
    	require group my-users
    	</Limit>

    Note that AuthGroupFile now points to your group file and that group my-users (rather than individual user pumpkin ) is now required for access.

    That's it. Now any user in group my-users can use his/her individual username and password to gain access to directory turkey .

12. Other Types of Security
    Protection via Domain or IP Addresses can also be used. Primus' custom directory protection tools don't support this type of protection, but you could set it up manually. Refer to Section 10 above on how to configure directory protection manually.

     

    Protection by network domain.

    In this example, your directory is only accessible to clients running on machines inside domain ncsa.uiuc.edu or the machines with IP address 204.191.36.123 or 204.191.36.124.

    	AuthUserFile /dev/null AuthGroupFile /dev/null
    	AuthName ExampleAllowFromNCSA
    	AuthType Basic
    	<Limit GET>
    	order deny,allow
    	deny from all
    	allow from .ncsa.uiuc.edu
    	allow from 204.191.36.123
    	allow from 204.191.36.124
    	</Limit>

    Protection by network domain -- exclusion.

    In this example, your directory is accessible to clients running on machines anywhere but inside domain ncsa.uiuc.edu .

    	AuthUserFile /dev/null AuthGroupFile /dev/null
    	AuthName ExampleDenyFromNCSA
    	AuthType Basic
    	<Limit GET>
    	order allow,deny
    	allow from all
    	deny from .ncsa.uiuc.edu
    	</Limit>

13. A Sample HTAccess File
    The contents of a sample HTAccess file might be as follows:

     

    	AuthUserFile /path/to/password/file/.htpasswd
    	AuthGroupFile /path/to/group/file/.htgroup
    	AuthName NameOfArea
    	AuthType Basic
    	<Limit GET>
    	require valid-user
    	require user <em>[supply list of users from password file here] </em>
    	require group <em>[supply list of groups from group file here] </em>
    	</Limit>

    All of the above components are described below.

    AuthUserFile an absolute path to the password file. The password file is normally called .htpasswd and could be created manually by the UNIX htpasswd tool. The password file consists of lines such as follows:

    	username1:password1
    	username2:password2
    	username3:password3
    	username4:password4

    where all of the passwords are encrypted
    

    AuthGroupFile an absolute path to the group file. The group file is normally called .htgroup and is just a simple text file. The group file consists of lines such as follows:
    

    	groupname: username1 username2 username3 username4

    One group called groupname has been specified, and this group has four members: username1, username2 username3 username4
    

    AuthName this is just simply a unique name that you would like to give to this access controlled area. Don't use the same name twice, or it will confuse your browser.
    
    AuthType currently the only method of user authentication supported by the web server is Basic
    
    Limit the Limit directive indicates which browser query methods you are configuring for the specified area. If you will be running CGIs out of the controlled area, then you should set this to Limit GET POST. Otherwise, Limit GET is fine.
    require the require directive indicates which users from the password file and group file are allowed to access the controlled area.
    • If you use require valid-user, then ANY user in the password file can access this area.
    • If you use require user, then ONLY the usernames which you specify will be allowed to access this area.
    • If you use require group, then ONLY the groups which you specify will be allowed to access this area.