University of Oregon

Setting Up Password-Protected Directories

Audience
Faculty/Staff
Researcher
Student
GTF

This explains how to require a password for a directory in your web site that is stored  on shell.uoregon.edu. It is highly-technical.

   1. Setting Up a Password File
   2. Specifying Directory Access
   3. Testing the Directory Access 

If you want to restrict access to one of your web directories, the simplest way to do it is to create an .htaccess file.

Note: Although htaccess provides reasonable protection to your web pages, it does have some limitations:

  • Other savvy users who have an account on the same machine as you can potentially navigate through the file system and access your files.
  • Passwords submitted through a web browser are usually not sent in encrypted form, and thus they could possibly be intercepted.

But even with these two limitations, an htaccess file can still protect you against a wide variety of intrusions on your web files.

Setting Up a Password File

1. Make sure you are in your home directory and NOT your public_html directory. (This is a critical step, because if you put your passwd file in your public_html directory, than other users will have access to it.)

2. Type htpasswd -c htpasswd username

(Replace username with the username you want to use for password access. The second htpasswd is the name of the password file. We recommend using this name.)

3. When prompted, enter and verify a password.

After you do this, an htpasswd file will be created in your home directory. This will stored usernames and passwords for people accessing whatever protected areas you have. You can add entries to this file later by using the following command:    

 htpasswd htpasswd username

Specifying Directory Access

1. Change directories to the directory that you want to protect. For example:

cd public_html/secure_directory

2.Create a file called .htaccess in the directory that you want to protect.

pico .htaccess

It should include the following lines: 

(Note that the entries you make in this file are case sensitive and cannot include spaces, unless the entries are surrounded by quotation marks.)

AuthUserFile /home13/joeuser/htpasswd

AuthGroupFile /dev/null

AuthName "Joe User" (quotes are used since this is a two-word phrase)

AuthType Basic

require user joeuser

3. The significant lines you will need to modify are:

  • The first line needs to be a full path to the htpasswd file in your directory. (If you don't know the full path of the directory you are in, you can type pwd to see the current directory.
  • The third line (AuthName) is for defining a realm. It is NOT the username. Enter a name that describes the area or directory on your site that the user is logging into. If you set up other pages/areas with the same realm users will not have to re-enter their password.
  • line 5 should be replaced with the username you want to require. This should correspond to the entry you set up in your htpasswd file. 

4. When you are done making your changes, type Ctrl-x and then y to save the file. 

Testing the Directory Access

Now you can go to your web browser and see if your .htaccess file works.

  1. Enter a url in your directory. For example, you could enter http://pages.uoregon.edu/username/protected_directory/index.html

      Your browser will prompt you to enter the username and password.

 2. Enter the username and password that you set up in the first part of this exercise and click OK.

If you are successful, you will see the web page you were trying to access. If you get an error message, make sure you entered the name and password correctly, and check that the .htaccess file contains the correct username in the require user line.