• About NMSU-A
• Apply Now!
• Academics
• Online Learning
• Class Schedule
• News & Events

HTA Access

htaccess is a method of protecting the contents of a directory from unauthorized access. This method is a function of the web server software and is setup through the web server configuration files. On alamo.nmsu.edu as with many servers using the Apache web server software, the web server is set up to look for a file named .htaccess (yes, that is a period that the filename begins with) in a directory. Any directory on alamo that contains a file named .htaccess is considered by the web server to be protected.

There are two files necessary to protect a directory. The first file, .htaccess, is the one that tells the web server that the directory is to be protected. The second file is the file that contains the usernames and passwords for those that will be allowed access. The password file is commonly named .htpasswd but can have any name as it is referred to in the .htaccess file.

An .htaccess file is a plain text file that takes the following form:

  AuthUserFile full/path/to/password/file
  AuthName Text_to_appear_in_authentication_dialog
  AuthType Basic

  require user username

Let's look at the file format line by line. The first line begins with the keyword, AuthUserFile, then is followed by the full path to the file that contains the list of authorized users along with their encrypted passwords. The passwords are encrypted so that if someone were to access the file, the passwords are not readable. The password file should not be in a directory accessible by the web server. I like to create a directory in my user directory called pw to keep my password files. The pw directory is not accessible to the web server because it is outside of the public_html directory that the web server can access. This would make the first line in an .htaccess file for a directory in my webspace on alamo.nmsu.edu AuthUserFile /home/stan/pw/.htpasswd.

The second line begins with the keyword, AuthName, followed by text of your choice. This text will be included in the text appearing on the authentication dialog box as shown below. In this example authentication dialog box, the text for AuthName is "OECS203" which appears as shown.

In this example, a single word without spaces is used. A longer text containing spaces may be used if you wish, but needs to have quotes around the text as only the first word (up to the first space) will appear, ignoring all text following a space.

The third line tells which authentication type to use. Currently, there is only one type of authentication available, basic. This keyword is provided for future expansion capability. The third line should always appear exactly as typed above.

Although I follow the standard method of creating an .htaccess file by leaving a blank line before the require directive, I don't think it is strictly necessary. To be honest, I've never tried it without the blank line so if you are curious enough to try it without the blank line, please let me know if it works without it or not.

The last line in the example uses two keywords rather than just one. The two keywords in this example are require and user. This tells the web server that I am requiring authorization based upon a user name. The user name(s) authorized follow "require user". One or more usernames can follow on this line to authorize the user(s) listed access to the web pages contained within the protected directory. When more than one username is listed, separate the usernames with a space.

Authorization can also be granted through the use of "require group" instead of require user. For simplicity's sake, for this tutorial, I will keep to a discussion of only user authorization. If you wish to learn about group authorization and other more advanced authentication options, a search on Google will turn up many tutorials for .htaccess.

Once the .htaccess file is set up, nobody can access the pages until usernames and passwords are created. To create the password file which will contain the usernames and passwords, telnet or ssh to the server and use the htpasswd command. The htpasswd command takes the following form: htpasswd -c /path/to/new/htpasswd/file username where htpasswd is the command followed by the option, -c to create a new file using the specified path and file name, followed by a username to place into the file. Upon issuing this command, a prompt to enter a password for the given username will appear; after entering a password, a prompt to reenter the password to confirm it will appear. Of course, the path and filename must be the same path and file name given in the .htaccess file or the file will not be found and the users will not be able to authenticate to the server.

Once the first username has been placed into the file, to add more users later, the same command is used without the -c (create) option. To add a user to an existing password file, use the command htpasswd /path/to/existing/htpasswd/file username, enter the password when prompted, the new username and password are added to the file. Note that the htpasswd command is passed the location and name of the password file along with the username that is to be added to the file.

Warning! htaccess is not highly secure being fairly simple to hack. Do not place highly sensitive information in a directory protected only by htaccess.

• Computer Services Questions, Problems, or Comments? Let Us Know!
• NMSU-A, 2400 N. Scenic Drive, Alamogordo, NM 88310 (map)
• (505) 439-3600

© 2007, Regents of New Mexico State University

Legal Information