Authentication via .htaccess and .htpasswd

Linux and Unix-Like UNIX and Linux Applications
1

I've created .htaccess and use htpasswd comand to create .htpasswd

Now when I try to access my protected area I still have loging panel.
I checked apache error log lile and found that there is some problem with mismatch password.

I use Apache 2.2 .22
Is there some erron in creating password via htpasswd?

2

Check to make sure your password files, etc are readable to the apache user. What are their permissions?

Please show exactly what you did. Obscure the passwords of course but we need to see your htaccess and the commands you ran and the parameters you used.

3

.htaccess file:

########## Start - Sekcja Uwierzytelnienie
AuthUserFile /var/auth/user/.htpasswd
## gdy nie stworzono pliku opisu grup umiesc
AuthGroupFile /dev/null
## albo - jesli stworzono plik opisu grup - odkomentuj i umiesc
#AuthGroupFile /var/auth/user/.htgroups    #jesli stworzono
AuthName "Obszar chroniony"
AuthType Basic
# uzyj linii ponizej gdy jest plik opisu grupy admini (nazwa przykladowa)
require group admini
# albo zakomentuj linie powyzej a odkomentuj i uzyj ponizszej, gdy brak pliku o$
Require valid-user
########## Koniec - Sekcja Uwierzytelnienie

.htpasswd file in /var/auth/user/ (permissions 777):

user:$apr1$e.4GXdmp$Ff10Y8xP9Lp6VggoTLv7d/
user1:$apr1$X0x0/Qks$fTY.rIBDYQY4jEF8aOHCJ0
mike:$apr1$jHqiogO8$E5T1R7vTBS2Ug7hwBtGNi1
user3:$apr1$nPWaEZC5$c8Ge.kXTySKjYwl8YT83C1
user4:$apr1$FWEXpoO8$yL0xnwkwoS4lpV4MgCxQp1

To add users to .htpasswd file I use:

htpasswd -b .htpasswd username password

And when I try get to protected folder I get:

[Mon Dec 15 14:11:51 2014] [error] [client 192.168.200.15] user user: authentication failure for "/~user/private_html": Password Mismatch
[Mon Dec 15 14:11:56 2014] [error] [client 192.168.200.15] user user: authentication failure for "/~user/private_html": Password Mismatch
4

777 is not the magic sledgehammer to solve all permissions problems. Things often refuse to use password files set 777, because a world-writable password file is simply dangerous.

Try setting it to more sensible permissions like 644 or 640.

5

You have "require group admini", but your authgroupfile is /dev/null. Give it an authgroupfile, or remove "require group admini".

6

Changed .htaccess to :

########## Start - Sekcja Uwierzytelnienie
AuthUserFile /var/auth/user/.htpasswd
## gdy nie stworzono pliku opisu grup umiesc
#AuthGroupFile /dev/null
## albo - jesli stworzono plik opisu grup - odkomentuj i umiesc
#AuthGroupFile /var/auth/user/.htgroups    #jesli stworzono
AuthName "Obszar chroniony"
AuthType Basic
# uzyj linii ponizej gdy jest plik opisu grupy admini (nazwa przykladowa)
require group admini
# albo zakomentuj linie powyzej a odkomentuj i uzyj ponizszej, gdy brak pliku o$
Require valid-user
########## Koniec - Sekcja Uwierzytelnienie

Set permission for .htpasswd to 644.

Stil get:

[Tue Dec 16 17:53:59 2014] [error] [client 192.168.200.16] user user: authentication failure for "/~user/private_html": Password Mismatch
[Tue Dec 16 17:54:05 2014] [error] [client 192.168.200.16] user user: authentication failure for "/~user/private_html": Password Mismatch

I found that:

.htaccess - Apache 2.4 "..authentication failure..:Password Mismatch" - Stack Overflow

But I have Apache 2.2.22

7

Okay, so you're giving it no group file at all, and still asking that it require a valid group. Comment out this line:

# require group admini
8

Now .htaccess is:

########## Start - Sekcja Uwierzytelnienie
AuthUserFile /var/auth/user/.htpasswd
## gdy nie stworzono pliku opisu grup umiesc
#AuthGroupFile /dev/null
## albo - jesli stworzono plik opisu grup - odkomentuj i umiesc
#AuthGroupFile /var/auth/user/.htgroups    #jesli stworzono
AuthName "Obszar chroniony"
AuthType Basic
# uzyj linii ponizej gdy jest plik opisu grupy admini (nazwa przykladowa)
#require group admini
# albo zakomentuj linie powyzej a odkomentuj i uzyj ponizszej, gdy brak pliku o$
Require valid-user
########## Koniec - Sekcja Uwierzytelnienie

Still get:

[Tue Dec 16 20:14:44 2014] [error] [client 192.168.200.17] user user: authentication failure for "/~user/private_html": Password Mismatch
9

Is apache allowed to read /var/auth/user ? What if you put the auth files inside public_html ?

10

I moved .htpasswd to private_html where .htaccess is.

Still get:

[Tue Dec 16 20:54:49 2014] [error] [client 192.168.200.17] user user: authentication failure for "/~user/private_html": Password Mismatch

How to check apache has permission to my folder?

11

If you disable the password, can you get to the files?

12

What do You mean "disable password"?

13

If you remove the htaccess, are the files accessible?

14

Yes, it is.

15

I just had another idea.

What character set are you using in the terminal, and what character set are you using in the webpage? A password from one character set might not match the hash of a password given in another character set. Make sure they agree.

16

How can I do that?

17

Try echo $LOCALE. It may also depend on your distribution.

18

At least on OS X, the command:

echo $LOCALE

produces an empty line.

The standard way to determine the current locale settings is:

locale

And to see if your environment has any variables set that override your system's default locale:

set | grep -e '^LANG=' -e '^LC_'
19

I run:

set | grep -e '^LANG=' -e '^LC_'

and I got:

LANG=pl_PL.UTF-8
20

OK. So when you're logged in, you're set up to use a UTF-8 codeset and using a locale providing conventions used in Poland.

Now, what character set and locale conventions are being used by your website?