|
YOU
DON’T HAVE TO BE A COMPUTER GENIUS TO...
Password
Protect Your Website using SSH protocol!!!
|
Next
Article>>> |
You’ve finally
created your own website…mydomain.com. Nothing elaborate, just a simple way
of expressing yourself on the Internet. You would like to create a password
protected area so that you can post your resume, some pictures of your family
or your portfolio and only give access to certain people. Plus, it just looks
cool! There are many ways to accomplish this and if you have very highly sensitive
material, you may need to learn more secure methods that employ CGI script or
Java.
I consider
my first website to be a training ground and do not have any illusions that
the site is “hack-proof.” I wanted to see if I could create a simple, no frills,
password protected area on my website, and guess what I discovered?…YOU DON’T
HAVE TO BE A COMPUTER GENIUS TO…Password Protect Your Website!!!
Here’s a step-by-step
guide of what I did. ONE DISCLAIMER. I WILL BE DESCRIBING THE STEPS I TOOK
USING THE WEBHOSTING AND SOFTWARE SERVICES I HAVE CHOSEN. IF YOU HAVE DIFFERENT
BACK-END SUPPORT, YOU WILL HAVE TO ADJUST ACCORDINGLY.
My Tools:
- Windows98
- Web2010 as my
hosting company, using UNIX
- WS_FTPLE (32-bit)
for my file transfer protocol
- Dreamweaver
as my web page designing software
- SSH version
2 protocol (not the less secure TELNET) used to connect to the UNIX Shell
on Web2010's servers so I can create and modify directories and files on my
site
- PICO, a simple
text editor in SSH
Summary:
Whenever someone
types in the address of your website, your web server checks for a file named
.htaccess. (.htaccess has many functions other than triggering password protection,
such as enabling a counter on your website) before displaying the page. If
the .htaccess file is present in a protected directory AND contains the right
code, your server will pop-up a box prompting the user to enter the approved
user name and password.
I did not want
to password protect the first page of my website, but I did want to create an
area where I could limit access. Although, I had not yet decided what to put
in my password protected area, I wanted to create one.
Here’s what I needed
to do:
a)
Create a new “protected” directory in the “www” directory on the root
directory of my account (The root directory is the first set of folders and
files that pop up when I connect to my web server. “www” is one of those directories
where all of my web pages are stored);
b)
Create my “.htpasswd” file;
c)
Create a “.htaccess” file. (Note, the “.” Before the “ht” in both!).
IMPORTANT. Using SSH to create directories and files directly on Web2010’s
UNIX servers is a lot like writing in DOS. You must type all spaces and characters
precisely;
d) REMEMBER...Files
should always be named in small letters, not CAPS!
Step-by-Step:
- Create a
folder (or directory) called “protected.” First, I went to START on Windows
98, clicked on PROGRAMS then I clicked on my WS_FTP program and connected
to my remote site on Web2010’s servers. WS_FTP will display a split screen
where files on the left-hand side are within my own computer. The several
folders on the right-hand side such as cgibin, docs, logs, www, as well as
files such as .domains and .mreply.rc make up my “root directory” and show
I’ve made a successful connection to my web site. The files I want visible
to people's web browsers are in my Document Root (i.e., the “www” directory).
I opened the “www” directory and clicked MkDir (make directory.) To make
things simple for myself, I called my new directory “protected.” Of course,
it can be named whatever you want.
- Download
Free version of SSH and connect to server. If you don't already have SSH,
you can either go to www.ssh.com to purchase the protocol or go to www.tucows.com
to download a basic version of SSH as freeware; it's called PUTTY. Once SSH
is downloaded in your "my download files" on your "c"
drive (or to whatever location you chose to download), create a shortcut a
put the SSH Putty icon (of two computers and a lightening bolt) on your desktop.
Click on the icon and in the Putty configuration box that pops up, you'll
see "seesion" under category on the left column. Click that and
on the right where it says "Basic Options for your Putty Session"
specify your connection by typing in your domain name (including the ".com",
but no "www") and under protocol click "SSH." Then under
"Saved Sessions" type your domain name again in the white blank
line and click "save" to save the session. Now you can click "open"
and a black screen comes up. You are connected! If the black screen does not
pop up or is "inactive", go back to your Putty Configuration Box
and in the lower left column under "Connection", highlight SSH.
Then, in the right column under "Preferred SSH Protocol" click Version
2 and hit "Open." Then reinput the domain.
- Create .htpasswd
within my new “protected” folder (or directory.) Now that I had an empty
directory called “protected,” I needed to fill it with a ".htpasswd"
(note: the spelling of .htpasswd) file and a ".htacess" file. I
had to SSH the UNIX shell on Web2010’s server to create these files. A the
black screen that popped up (in the DOS style) after I connected using SSH,
it prompted me for my login and password. This is the same login and password
that I use to FTP Web2010. What came up was the path to my website on Web2010’s
servers: www26:/mnt/web/guide/yourdomain #. Then, to get inside the
new directory to create my files, I typed cd /mnt/web/guide/mydomain/www/protected.
(Note: space after "cd" and remember to to replace "mydomain"
with your actual domain prefix only and NOT the ".com".) I then
hit ENTER. Once inside the directory, I typed in htpasswd
(no "." before the ht this time) and the screen displayed the commands
used to create the .htpasswd file. It listed off flags I could use. To create
a new .htpasswd file with a username and password, I typed htpasswd –c .htpasswd johnsmith (Note: no "."
before the first "htpasswd" and spaces before and after "-c".
The –c is the flag which indicates that a new file needs to be created and
the first user name (for access to the protected area) I chose was johnsmith.
After hitting ENTER, I was prompted to put in a password for johnsmith and
then I confirmed that password. (Of course, you can pick any user name or
password) After the user and password were entered, the SSH program displayed
the path to my new protected area: www26://mnt/web/guide/yourdomain/www/protected#.
To confirm my work, I typed cat .htpasswd (Note: space
before ".ht") on that same line and what came up looked like this
“johnsmith:p6Rt54c8z325sJK.”
- Create .htaccess
within my new “protected” folder (or directory.) Now that my ".htpasswd"
file had been created, it was time to set up my ".htaccess" file
in my new protected directory. On the SSH screen, the path displayed was:
www26://mnt/web/guide/yourdomain/www/protected#. On that same line
I typed pico, one of the built-in text editors that
is part of the SSH program. (You can use any text editor, such as NotePad,
but you have to remember to save it as ".txt" and change the file’s
name to .htaccess. You then can upload the file to the directory you want
protected.) I just used PICO because it was the easiest. At the white blank
screen I typed exactly what’s in the box below. OF COURSE, REPLACE YOUR DOMAIN
NAME AND PROTECTED DIRECTORY NAME WHERE INDICATED. IMPORTANT: Capitalization
and spaces matter. Hit ENTER after each line. For ease, I’ve indicated the
spaces with a “*” BUT DON’T ACTUALLY TYPE THE “*.”
AuthUserFile*/mnt/web/guide/yourdomain/www/protected/.htpasswd
AuthGroupFile*/dev/null
AuthName*”Restricted Area”
AuthType*Basic
<Limit*GET>
require*valid-user
</Limit>
|
After I checked
to make sure I input my actual domain name and the name of my protected directory
in the AuthUserFile above and double-checked capitalization and spaces I hit
CTRL X on the keyboard to save the file in PICO. At the “do you want to save
this modified buffer” prompt, I typed y for yes. I named the file .htaccess and hit ENTER.
- Multiple
User Access. After creating my password protected area, I decided to
allow another user to access that directory. I ran my SSH PUTTY protocol
again. Typed in my user name and password. My remote site came up: www26:/mnt/web/guide/yourdomain#.
I changed directories to my protected directory by typing cd
/mnt/web/guide/yourdomain/www/protected. (hit ENTER). Now inside
my password protected directory I typed htpasswd .htpasswd newuser (Note: Remember to type in the name of
your new user. Also, there is no "." before the first "ht",
but there is a "." before the second one. Also, there is space
before ".ht") and hit ENTER. It will prompt you to give a password
for “new user” and confirm it.
- Troubleshooting.
Edit .htaccess in PICO. If you’re password protected area is not working,
there may be many reasons. One may be a “typo” in your ".htaccess"
folder. For example, Web2010’s server address begins with /mnt not mnt.
If you think you made this mistake, go back to SSH. Call up your password
protected directory. In my case that means typing in cd
/mnt/web/guide/yourdomain/www/protected. Hit ENTER. Then type
pico .htaccess. (Note: space
before ".ht") Your .htaccess file in your password protected directory
will pop up and you can edit it and resave (CTRL X) and overwrite the old.
Another problem might be that your directory name is too long. Try to keep
the name of your password protected folder under 12 letters.
- Create index.html.
The first page displayed of any directory is “index.html.” As my final step,
I had to create an index.html page in Dreamweaver and FTP it to my newly created
“protected” directory. I connected to FTP, went into my “www” directory and
then went into my “protected” directory and then I transferred the "index.html"
file. IMPORTANT: Remember to FTP the "index.html" file to the
protected directory or it will appear as the first page of your website.
Copyright
© 2000-2001 Marlene Hollander. All rights reserved.