Sunday 2 December 2012

Why or Why Not, Htpasswd?

What is htpasswd?

htpasswd is HTTP Basic Authentication as defined by RFC 2617.

Why htpasswd?

1.Its quick and easy,
2. It doesnt require any additional authentication systems, AD or LDAP blah blah blah

Why not htpasswd?

1. Unless SSL is used, credentials are communicated between client and server in plain text
2. Credentials are cached until the browser or tab (browser dependant), are closed

Rules!

1. Never use htpasswd or any other basic authentication over a non-ssl connection!
2. Season your passwords with SALT!
3. Check, Double Check and Triple check your file permissions!

How?

~# man htpasswd & ~# man htacess
Two parts to the tale.
1. .htaccess
Four absolute necessary Apache directives are needed in the .htaccess file. The .htaccess file should be stored in the directory you want to secure.
AuthType Basic - This tells Apache that HTTP Basic Authentication is in use.
AuthName -This tells Apache what to display in the password prompt box.
AuthUserFile - This tells Apache where to look for a list of possible user/passwords. Usually called .htpasswd.
Require - This tells Apache what conditions allow entry to the secured directory.
2. .htpasswd
User:Password
So create a .htaccess file in the directory you want to secure:
 mac@pentest:/securedirectory$ sudo nano .htaccess
Add the following to the file:
 AuthType Basic
 AuthName Please enter a username and password
 AuthUserFile {Full server path to the .htpasswd file}
Save the above, and then use the htpasswd command to create your password file. Simply typing the command:
 mac@pentest:/securedirectory$ sudo htpasswd
Will bring up a nice little how-to:
Usage:
 htpasswd [-cmdpsD] passwordfile username
 htpasswd -b[cmdpsD] passwordfile username password

 htpasswd -n[mdps] username
 htpasswd -nb[mdps] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -m  Force MD5 encryption of the password.
 -d  Force CRYPT encryption of the password (default).
 -p  Do not encrypt the password (plaintext).
 -s  Force SHA encryption of the password.
 -b  Use the password from the command line rather than prompting for it.
 -D  Delete the specified user.
On Windows, NetWare and TPF systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.
So do:
 mac@pentest:/securedirectory$ sudo htpasswd -m -c .htpasswd user
And you should be prompted to enter a password for user, 'user', twice.
What did we do?
If all worked out you should have a file that looks like this:
 mac@pentest:/securedirectory$ cat .htpasswd
 user:$apr1$7gWTF4UB$nMtEFqi8mtRRsnhyQp7FJ0
Job done! Navigate to www.whatever.com/securedirectory and if you've followed the above correctly, you should be presented with a login box to authenticate and enter your secure directory!
Two last tips!
Don't use the -b flag as this will take the password from your command and will be recoverable from your bash history! Let bash prompt you for the password as I have done in the tutorial.
Also don't be tempted to use the -s flag to use SHA1 encryption for the password, this doesn't use a salt for the passwords!
ALWAYS SEASON YOUR PASSWORDS WITH SALT!
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)