Security

mod_authn_file User authentication using text files Base mod_authn_file.c authn_file_module Available in Apache 2.0.42 and later

This module provides authentication front-ends such as mod_auth_digest and mod_auth_basic to authenticate users by looking up users in plain text password files. Similar functionality is provided by mod_authn_dbm.

When using mod_auth_basic or mod_auth_digest, this module is invoked via the AuthBasicProvider or AuthDigestProvider with the 'file' value.

AuthName AuthType AuthBasicProvider AuthDigestProvider AuthUserFile Sets the name of a text file containing the list of users and passwords for authentication AuthUserFile file-path directory .htaccess AuthConfig

The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute (i.e., if it doesn't begin with a slash), it is treated as relative to the ServerRoot.

Each line of the user file contains a username followed by a colon, followed by the crypt() encrypted password. The behavior of multiple occurrences of the same user is undefined.

The utility htpasswd which is installed as part of the binary distribution, or which can be found in src/support, is used to maintain this password file. See the man page for more details. In short:

Create a password file 'Filename' with 'username' as the initial ID. It will prompt for the password:

htpasswd -c Filename username

Add or modify 'username2' in the password file 'Filename':

htpasswd Filename username2

Note that searching large text files is very inefficient; AuthDBMUserFile should be used instead.

Security

Make sure that the AuthUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients will be able to download the AuthUserFile.