YOU DON’T HAVE TO BE A COMPUTER GENIUS TO...
Password Protect Your Website using SSH protocol!!!

Next Article>>>

You’ve finally created your own website…mydomain.com.  Nothing elaborate, just a simple way of expressing yourself on the Internet. You would like to create a password protected area so that you can post your resume, some pictures of your family or your portfolio and only give access to certain people. Plus, it just looks cool! There are many ways to accomplish this and if you have very highly sensitive material, you may need to learn more secure methods that employ CGI script or Java. 

I consider my first website to be a training ground and do not have any illusions that the site is “hack-proof.”  I wanted to see if I could create a simple, no frills, password protected area on my website, and guess what I discovered?…YOU DON’T HAVE TO BE A COMPUTER GENIUS TO…Password Protect Your Website!!! 

Here’s a step-by-step guide of what I did.  ONE DISCLAIMER.  I WILL BE DESCRIBING THE STEPS I TOOK USING THE WEBHOSTING AND SOFTWARE SERVICES I HAVE CHOSEN.  IF YOU HAVE DIFFERENT BACK-END SUPPORT, YOU WILL HAVE TO ADJUST ACCORDINGLY.

My Tools:

  1. Windows98
  2. Web2010 as my hosting company, using UNIX
  3. WS_FTPLE (32-bit) for my file transfer protocol
  4. Dreamweaver as my web page designing software
  5. SSH version 2 protocol (not the less secure TELNET) used to connect to the UNIX Shell on Web2010's servers so I can create and modify directories and files on my site
  6. PICO, a simple text editor in SSH

Summary:

Whenever someone types in the address of your website, your web server checks for a file named .htaccess.  (.htaccess has many functions other than triggering password protection, such as enabling a counter on your website) before displaying the page.  If the .htaccess file is present in a protected directory AND contains the right code, your server will pop-up a box prompting the user to enter the approved user name and password.   

I did not want to password protect the first page of my website, but I did want to create an area where I could limit access.  Although, I had not yet decided what to put in my password protected area, I wanted to create one. 

Here’s what I needed to do:

a)      Create a new “protected” directory in the “www” directory on the root directory of my account (The root directory is the first set of folders and files that pop up when I connect to my web server.  “www” is one of those directories where all of my web pages are stored); 

b)      Create my “.htpasswd” file;

c)      Create a  “.htaccess” file.  (Note, the “.” Before the “ht” in both!).    IMPORTANT.  Using SSH to create directories and files directly on Web2010’s UNIX servers is a lot like writing in DOS.  You must type all spaces and characters precisely;

d) REMEMBER...Files should always be named in small letters, not CAPS!

Step-by-Step:

  1. Create a folder (or directory) called “protected.”  First, I went to START on Windows 98, clicked on PROGRAMS then I clicked on my WS_FTP program and connected to my remote site on Web2010’s servers.  WS_FTP will display a split screen where files on the left-hand side are within my own computer. The several folders on the right-hand side such as cgibin, docs, logs, www, as well as files such as .domains and .mreply.rc make up my “root directory” and show I’ve made a successful connection to my web site.  The files I want visible to people's web browsers are in my Document Root (i.e., the “www” directory).  I opened the “www” directory and clicked MkDir (make directory.)  To make things simple for myself, I called my new directory “protected.”  Of course, it can be named whatever you want.
  1. Download Free version of SSH and connect to server. If you don't already have SSH, you can either go to www.ssh.com to purchase the protocol or go to www.tucows.com to download a basic version of SSH as freeware; it's called PUTTY. Once SSH is downloaded in your "my download files" on your "c" drive (or to whatever location you chose to download), create a shortcut a put the SSH Putty icon (of two computers and a lightening bolt) on your desktop. Click on the icon and in the Putty configuration box that pops up, you'll see "seesion" under category on the left column. Click that and on the right where it says "Basic Options for your Putty Session" specify your connection by typing in your domain name (including the ".com", but no "www") and under protocol click "SSH." Then under "Saved Sessions" type your domain name again in the white blank line and click "save" to save the session. Now you can click "open" and a black screen comes up. You are connected! If the black screen does not pop up or is "inactive", go back to your Putty Configuration Box and in the lower left column under "Connection", highlight SSH. Then, in the right column under "Preferred SSH Protocol" click Version 2 and hit "Open." Then reinput the domain.

  2. Create .htpasswd within my new “protected” folder (or directory.)  Now that I had an empty directory called “protected,” I needed to fill it with a ".htpasswd" (note: the spelling of .htpasswd) file and a ".htacess" file.  I had to SSH the UNIX shell on Web2010’s server to create these files.  A the black screen that popped up (in the DOS style) after I connected using SSH, it prompted me for my login and password.  This is the same login and password that I use to FTP Web2010.  What came up was the path to my website on Web2010’s servers:  www26:/mnt/web/guide/yourdomain #.  Then, to get inside the new directory to create my files, I typed  cd  /mnt/web/guide/mydomain/www/protected.  (Note: space after "cd" and remember to to replace "mydomain" with your actual domain prefix only and NOT the ".com".) I then hit ENTER.  Once inside the directory, I typed in htpasswd (no "." before the ht this time) and the screen displayed the commands used to create the .htpasswd file.  It listed off flags I could use.  To create a new .htpasswd file with a username and password, I typed htpasswd –c .htpasswd johnsmith  (Note: no "." before the first "htpasswd" and spaces before and after "-c".  The –c is the flag which indicates that a new file needs to be created and the first user name (for access to the protected area) I chose was johnsmith.  After hitting ENTER, I was prompted to put in a password for johnsmith and then I confirmed that password.  (Of course, you can pick any user name or password)  After the user and password were entered, the SSH program displayed the path to my new protected area: www26://mnt/web/guide/yourdomain/www/protected#.  To confirm my work, I typed cat .htpasswd  (Note: space before ".ht") on that same line and what came up looked like this “johnsmith:p6Rt54c8z325sJK.”
  1. Create .htaccess within my new “protected” folder (or directory.) Now that my ".htpasswd" file had been created, it was time to set up my ".htaccess" file in my new protected directory.  On the SSH screen, the path displayed was: www26://mnt/web/guide/yourdomain/www/protected#.  On that same line I typed pico, one of the built-in text editors that is part of the SSH program.  (You can use any text editor, such as NotePad, but you have to remember to save it as ".txt" and change the file’s name to .htaccess.  You then can upload the file to the directory you want protected.)  I just used PICO because it was the easiest.  At the white blank screen I typed exactly what’s in the box below.  OF COURSE, REPLACE YOUR DOMAIN NAME AND PROTECTED DIRECTORY NAME WHERE INDICATED.  IMPORTANT:  Capitalization and spaces matter.  Hit ENTER after each line.  For ease, I’ve indicated the spaces with a “*” BUT DON’T ACTUALLY TYPE THE “*.” 

AuthUserFile*/mnt/web/guide/yourdomain/www/protected/.htpasswd

AuthGroupFile*/dev/null

AuthName*”Restricted Area”

AuthType*Basic

<Limit*GET>

require*valid-user

</Limit>


After I checked to make sure I input my actual domain name and the name of my protected directory in the AuthUserFile above and double-checked capitalization and spaces I hit CTRL X on the keyboard to save the file in PICO.  At the “do you want to save this modified buffer” prompt, I typed y for yes.  I named the file .htaccess and hit ENTER. 

  1. Multiple User Access. After creating my password protected area, I decided to allow another user to access that directory.  I ran my SSH PUTTY protocol again.  Typed in my user name and password.  My remote site came up:  www26:/mnt/web/guide/yourdomain#.   I changed directories to my protected directory by typing cd /mnt/web/guide/yourdomain/www/protected.  (hit ENTER).  Now inside my password protected directory I typed htpasswd .htpasswd newuser  (Note: Remember to type in the name of your new user. Also, there is no "." before the first "ht", but there is a "." before the second one.  Also, there is space before ".ht") and hit ENTER.  It will prompt you to give a password for “new user” and confirm it.
  1. Troubleshooting.  Edit .htaccess in PICO. If you’re password protected area is not working, there may be many reasons.  One may be a “typo” in your ".htaccess" folder.  For example, Web2010’s server address begins with /mnt not mnt.  If you think you made this mistake, go back to SSH.  Call up your password protected directory.  In my case that means typing in cd /mnt/web/guide/yourdomain/www/protected.  Hit ENTER.  Then type pico .htaccess.  (Note: space before ".ht")  Your .htaccess file in your password protected directory will pop up and you can edit it and resave (CTRL X) and overwrite the old. Another problem might be that your directory name is too long. Try to keep the name of your password protected folder under 12 letters.
  1. Create index.html. The first page displayed of any directory is “index.html.”  As my final step, I had to create an index.html page in Dreamweaver and FTP it to my newly created “protected” directory.  I connected to FTP, went into my “www” directory and then went into my “protected” directory and then I transferred the "index.html" file.  IMPORTANT:   Remember to FTP the "index.html" file to the protected directory or it will appear as the first page of your website.

Copyright © 2000-2001 Marlene Hollander.  All rights reserved.