Securing Virtual Directory

Message

#1 Post by **issinoho** » Wed Apr 27, 2005 1:11 pm

In order to protect a virtual directory with OpenVMS Authentication, i.e. force a challenge/response from the server to the browser before granting access, 2 things are required.

1. Include the following directive in the apache$root:[conf]httpd.conf file,

LoadModule auth_openvms_module modules/mod_auth_openvms.exe

2. Create a file called .htaccess in the root of the virtual directory and add the following to it,

AuthType Basic
AuthName "OpenVMS authentication"
AuthOpenVMSUser On
require valid-user

Remeber to restart Apache after changing the conf file.

chris_sharman · #2 Post by **chris_sharman** » Thu Apr 28, 2005 10:39 am

I haven't used vms authentication as yet, but I'm fairly hazy on the whole username/password business, and where it fits in the apache/php/mysql environment.
I take it that issuetracker & phpmyadmin are using mysql application-based protection, rather than apache-based ?

What provision is there for restricting users - I've got thousands of customer accounts in our webserver sysuaf now, used for access control by OSU HTTP_SERVER - I wouldn't want them to have phpMyAdmin access.

Is there any good overview of how it all hangs together ?

#3 Post by **issinoho** » Thu Apr 28, 2005 11:33 am

The SWS installation guide is as good a place as any, plus of course most generic Apache documents will also be relevant to SWS,

http://h71000.www7.hp.com/openvms/produ ... all_20.pdf

You're right in your assumption about the security. phpMyAdmin (AFAIK) doesn't have any built-in security (which seems nuts to me!) so unless you secure the share some other way, it's open season.

What I have done, and described below, is tell Apache that to access this share the browser must authenticate first; the method I have chosen (and there are quite a few options) is to authenticate against the SYSUAF accounts. In my case I have told it that "anyone who provides a valid VMS login can have access". If you look at the manual it is possible to make this restrictive to certain accounts and/or groups.

WillemGrooters · #4 Post by **WillemGrooters** » Wed Jul 20, 2005 11:40 am

Indeed, Mod_Auth_Vms checks against UAF, and quite rigoroursly. Access is granted only if NOT DISUSER AND NOT CAPTIVE AND password has not expired ("Require valid-user"). Next, RIGHTSLIST is checked when "Require group" is specified, and access is granted only if the rights identifier you specified here, is granted to that user. Not granted means no acess.
Both can be SSL-protected, so can be secured.

Another issue that can be handy is that "AuthName" can be set to any text, so you can direct your users to what username/password they have to use. handy if you host multiple sites (as I do). Or prove that "IIS is safe"

Arvid Elstrodt · #5 Post by **Arvid Elstrodt** » Tue Jan 10, 2006 7:42 pm

Hi,

As I just wrote in another (my first) post on this forum, I am a complete newbie on OpenVMS, so forgive me my ignorance.

Yesterday night I tried the method described here, but it seemed that OpenVMS (8.2 with ODS-5) doesn't accept ".htaccess" as a filename ?
I know I can configure Apache to take something else than ".htaccess", but I would like to stick as much with things I have already learned on other platforms.

What am I missing ?

#6 Post by **issinoho** » Thu Jan 12, 2006 12:16 pm

it seemed that OpenVMS (8.2 with ODS-5) doesn't accept ".htaccess" as a filename ?

This is a perfectly acceptable filename in ODS-5, however make sure you have the following in your login.com,

$ SET PROC/PARSE=EXTEND

Arvid Elstrodt · #7 Post by **Arvid Elstrodt** » Thu Jan 12, 2006 1:24 pm

Hi,

Thanks again, it works !

At first I didn't succeed, as I was trying to rename a file "hello.txt" or so to ".txt", and variations of that, but without success.

Then I simple tried "$CREATE .TXT" and it worked flawlessly.

I'm sooooo new to VMS

#8 Post by **issinoho** » Fri Jan 13, 2006 7:01 pm

No problem. Feel free to post anything here no matter how dumb you may think it is - we all had to start sometime, right!

Arvid Elstrodt · #9 Post by **Arvid Elstrodt** » Fri Jan 13, 2006 7:29 pm

Thanks, I appreciate that !

WillemGrooters · #10 Post by **WillemGrooters** » Wed Feb 01, 2006 10:41 am

Arvid Elstrodt wrote:
I know I can configure Apache to take something else than ".htaccess", but I would like to stick as much with things I have already learned on other platforms.

As a seasoned VMS user (you know

) I'd say: don't. VMS's way of securing - one of the very best - is built-in when you use MOD_AUTH_OPENVMS. It checks against the SYSTEM that cannot be accessed (unless explicitly intended), not just the username (you can use "require valid-user" which will check against SYSUAF) but aldo against required identifiers (that need to be specified here). If username not valid, password expired or captive account, or miss a specified identifier, and you have no access. This also can be done against a fulkl directory tree and frees the server from accessing each(!) .htaccess file (see the Apache documentation, it warns AGAINST usage of .htaccess, just because of that).

Arvid Elstrodt · #11 Post by **Arvid Elstrodt** » Wed Feb 01, 2006 11:26 am

Hi Willem,

It's already done, try /admin on my homepage URL

Cheers,

Arvid