Turning on authentication in lighttpd

March 16, 2008 Andy

Some of us access our DNS-323 over the Internet and would find the need to put some form of restriction on what users should access and what they shouldn’t.

For me, I have project related folders as well as private folders such as clutch (for transmission). Hence I would like to password protect them. Only users with a valid username and password should access these protected shares.

In this example, I will setup password authentication for my clutch directory.

Some basics
There are several ways to authenticate a user. One of the ways would be using username and password authentication. Some method of authentication stores username and password in clear while some are hashed. For this guide, we need username, password and realm.

Password Generator
Create a htdigest.sh file at /mnt/HD_a2/ with the following content. Simply type vi /mnt/HD_a2/htdigest.sh, press i and paste the following text in.

#!/bin/sh
user=$1
realm=$2
pass=$3

hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`

echo "$user:$realm:$hash"

#!/bin/sh

user=$1

realm=$2

pass=$3

hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`

echo "$user:$realm:$hash"

After pasting in the above text, press <Esc>, then followed by :wq and Enter to save the file.

If you did it correctly, you should end up with a htdigest.sh file at /mnt/HD_a2/.

Generating the username and password
Let’s say we are trying to generate information for the user “clutch” with password “password” in realm “Password Protected Area”. You would generate the required information by the following command.

/ # sh /mnt/HD_a2/htdigest.sh ‘clutch’ ‘Password Protected Area’ ‘password’
clutch:Password Protected Area:98616824633db75cb8d3a63d5c0658cb

Just a note, realm is used in the process of generating the password hash.

Storing the generated password
We will store the generated information at /mnt/HD_a2/fun_plug.d/etc/lighttpdpassword

/ # echo “clutch:Password Protected Area:98616824633db75cb8d3a63d5c0658cb” >> /mnt/HD_a2/fun_plug.d/etc/lighttpdpassword

Turning on authentication for lighttpd
We would need to enable mod_auth and add in some configuration strings to enable password authentication for the /clutch/ directory. Add the following text after the server.modules chunk.

Edit lighttpd.conf at /mnt/HD_a2/fun_plug.d/etc/

auth.debug = 2
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/mnt/HD_a2/fun_plug.d/etc/lighttpdpassword"

auth.require = ( "/clutch/" =&gt;
(
"method" =&gt; "digest",
"realm" =&gt; "Password Protected Area",
"require" =&gt; "user=clutch"
)
)

auth.debug = 2

auth.backend = "htdigest"

auth.backend.htdigest.userfile = "/mnt/HD_a2/fun_plug.d/etc/lighttpdpassword"

auth.require = ( "/clutch/" =>

(

"method" => "digest",

"realm" => "Password Protected Area",

"require" => "user=clutch"

)

Save the file.

Testing it
Before you can actually use password authentication, you would need to restart your lighttpd. You can do it by calling lighttpd.sh or simply restart your DNS-323 if you had configured it to autostart.