Simple Password Protection for WWW Directories Note: This assumes you know the basics of Project Vincent, including how to use an editor to create web pages, how to change into the right directories, etc. If you don't know that stuff already, then go learn it and come back to this page later. This is a very to-the-point, step-by-step process for doing simple password protection; the intent of this page is not to teach you how to use unix or create web pages. Steps to implement simple password protection in a WWW subdir: Create the desired subdir (if it doesn't yet exist) and cd into it. Change privs in the dir to give read/list privs to the user www. Note that this user is Project Vincent-specific; this is implemented differently in other systems, especially non-/afs systems. The command for this is fs sa . www rl (within the protected directory). Use fs la to make sure you and www (and, optionally, system admins) are the only ones with privs in that directory. If there are others (there will probably be a system:anyuser), type (for the system:anyuser example) fs sa . system:anyuser none to remove those privs. Edit a new file called .htaccess -- The layout should be something like this: AuthType Basic AuthName CHOOSE-A-NAME AuthUserFile /afs/iastate.edu/SOMETHING/.htpasswd AuthGroupFile /afs/iastate.edu/SOMETHING/.htgroup require group CHOOSE-A-GROUP-NAME require user BOB require user ME For CHOOSE-A-NAME, do that. For SOMETHING, put in the appropriate directory structure, up the the current directory. (If you don't know that directory, use pwd to find it.) GET and POST are just in caps; leave them. For CHOOSE-A-GROUP-NAME, do that, too, if you want a group name. (I actually haven't played with groups much, so you might have to toy with this and figure it out yourself. Other documentation is available if you do a search elsewhere on the web, but keep in mind Project Vincent is set up somewhat differently for the privs I've already mentioned. This part would be the same, tho.) Also put in names for any users you want. These can be upper, lower, or mixed case, and they have nothing to do with Project Vincent usernames unless you make them that way. Edit a file called .htgroup if you choose to play with groups. The layout for that is something like the following; just replace the all-caps stuff with the appropriate groups and users that you are making up. GROUP1: USER1 USER2 USER3 GROUP2: USER3 USER4 add www Create passwords for each of the users you made up. I'm not sure about groups, but I don't think you create passwords for them. I think being a part of a group still requires your username and password, but it could conceivably make it easier to give a group access and then just update the group list in the .htgroup file rather than messing with individual users all the time in the .htaccess file. To create a password for a user, use htpasswd -c .htpasswd JOEUSER for the first one (the -c creates a new file), and drop the -c (just use htpasswd .htpasswd BOBUSER ) for additional users. When you type that, it will prompt you for a password and a second time for verification (won't echo on the screen). Note that it only uuencodes the password in .htpasswd, which is one of the reasons this isn't the ultimate security. To change a password, just use htpasswd .htpasswd OLDUSER and it will let you enter a new one. It assumes anyone with write access in that directory should be able to change the password, so it won't ask for the old one, which is really convenient if you forgot it. To delete a user/password, take the user out of the .htacess and/or .htgroup files, and then remove the password by deleting the proper line in the .htpasswd file. Removing it from the .htpasswd file shouldn't be necessary, but if you're concerned about conserving stray bits (or, more importantly, not confusing yourself later), you can do it anyway. Test it. Try logging in with correct and incorrect passwords. If something doesn't work, double-check your work. This document is available at http://www.public.iastate.edu/~dsblack/help/passwords.html.