[NTLUG:Discuss] No login challenge
Ted
ted at KI5U.net
Wed Dec 31 01:19:22 CST 2003
Hi Patrick. Sorry for the incomplete description. After turning on
security by adding the below:
AuthName "Restricted Site"
AuthType Basic
AuthUserFile /var/www/SitePsw/password
require user Ted
I receive the following message rather than a login screen.
Authorization Required
This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password),
or your browser doesn't understand how to supply the credentials required.
I close the browser and reopen it for each test.
Changing to "Require valid-user... same message
Deleting the .htaccess file... same message
Here's the last entries from access_log:
66.12.9.126 - - [30/Dec/2003:14:17:23 -0600] "GET / HTTP/1.1" 401 474 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR
1.1.4322)"
No entry in error_log other than startup info:
Password file:
Ted:dBql5q9bWj6s
Bob:l3HOg/9yCa8Q
root:0eH9mPbB6MY
And as jack pointed out, I do have a ScriptAlias /cgi-bin/
"/var/www/cgi-bin/" statement elsewhere. I wonder if I need to move it to
within the file definition. I guess the bottom line is that the response
isn't the correct one to trigger a login window in the client browser.
Thanks to all for the help.
Ted
At 01:08 PM 12/30/2003 -0700, Patrick R. Michaud wrote:
>Keep in mind that you'll only be prompted for a username and password once
>per browser session; i.e., once the browser has authenticated once, you
>won't be prompted for a username/password again until the browser is closed,
>the realm name is changed on the server, or the username/password changes
>on the server.
>
>Can you send me a copy of /var/www/SitePsw/password to look at?
>
>Have you tried it using "require valid-user" instead of "require user Ted"?
>
>A reboot should not be required for a simple change of httpd.conf--
>simply reloading the server should work. Under Red Hat you should
>be able to do /sbin/service httpd restart.
>
>Also, just to remove another variable, you might try it without
>any .htaccess file whatsoever (as opposed to a blank one). Apache
>sometimes aborts a request if .htaccess exists but Apache is unable to
>read/process it.
>
>You could also look at the access_log and error_log files to see what's
>happening when you're accessing the files that are supposed to be
>protected.
>
>Finally, when you say "doesn't work", I'm assuming that you're getting
>access to the pages without being prompted for a password, as opposed to
>receiving some other error.
>
>Pm
>
>
>On Tue, Dec 30, 2003 at 01:35:34PM -0600, Ted wrote:
> >
> > Thanks Patrick. Here's what I started with in the filespec.
> > <.htaccess> blank. Did not work.
> > <Directory "/var/www/cgi-bin">
> > AllowOverride All
> > AllowOverride AuthConfig
> > AuthName "Restricted Site"
> > AuthType Basic
> > AuthUserFile /var/www/SitePsw/password
> > require user Ted
> > Options ExecCGI Includes FollowSymLinks Indexes MultiViews
> > AddHandler cgi-script cgi pl
> > Allow from all
> > Order allow,deny
> > </Directory>
> > Then I tried the below using both .htaccess and file specs. Still
> > does not work.
> > <.htaccess contents>
> > AuthType Basic
> > AuthName "Restricted Site"
> > AuthUserFile /var/www/SitePsw/password
> > Require user Ted
> > <Apache.conf contents>
> > <Directory "/var/www/cgi-bin">
> > AllowOverride AuthConfig
> > Options ExecCGI Includes FollowSymLinks Indexes MultiViews
> > AddHandler cgi-script cgi pl
> > Order allow,deny
> > </Directory>
> > My understanding is that the Apache server should issue a 401, to
> > which the browser responds with a logon box (I'm using IE6). There
> > must be some other Apache.conf setting that is wrong. I need to trap
> > the transactions I suppose.
> > Another thing I've noticed is that when switching from non-secure to
> > secure environment, a httpd restart isn't sufficient. A reboot
> > appears to be required. Perhaps this is an indication of the problem.
> > At 09:31 AM 12/30/2003 -0700, you wrote:
> >
> > Ted-
> > At minimum you need the following apache directives in order to
> > turn
> > on authentication:
> > AuthType Basic
> > AuthName "My Realm"
> > AuthUserFile /full/path/to/password_file
> > Require valid-user
> > These can go in either a <Directory> section or in a .htaccess
> > file.
> > If in a .htaccess file, you have to make sure that the httpd.conf
> > file
> > specifies "AllowOverride AuthConfig" for the directory containing
> > the
> > htaccess file. However, I'd recommend getting it to work within
> > the
> > httpd.conf file before trying the .htaccess. Also, it's worth
> > remembering
> > that you have to restart the webserver after making any changes to
> > httpd.conf (I often forget to do this step).
> > Pm
> > On Tue, Dec 30, 2003 at 04:34:41AM -0600, Ted wrote:
> > > Hello to the group.
> > >
> > > I'm running Apache 2.0.40 on Red Hat 2.4.18-14. I've established
> > a
> > > perl-based web site that runs fine. When I turn on security by
> > adding
> > > Authentication per Apache 2.0 documentation, I cannot get Apache
> > to issue a
> > > login challenge window. I've tried the placing commands in both
> > the
> > > <directory format in httpd.conf and using .htaccess. Help would
> > be
> > > appreciated.
> > >
> > > Thanks,
> > >
> > > Ted
> > >
> > >
> > > _______________________________________________
> > > [1]https://ntlug.org/mailman/listinfo/discuss
> >
> > References
> >
> > 1. https://ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list