Securing Virtual Directory

Discussions around the use of Apache on VMS
Post Reply
Message
Author
User avatar
issinoho
Site Admin
Posts: 197
Joined: Tue Feb 01, 2005 12:53 am
Location: Scotland
Contact:

Securing Virtual Directory

#1 Post by issinoho »

In order to protect a virtual directory with OpenVMS Authentication, i.e. force a challenge/response from the server to the browser before granting access, 2 things are required.

1. Include the following directive in the apache$root:[conf]httpd.conf file,

LoadModule auth_openvms_module modules/mod_auth_openvms.exe

2. Create a file called .htaccess in the root of the virtual directory and add the following to it,

AuthType Basic
AuthName "OpenVMS authentication"
AuthOpenVMSUser On
require valid-user


Remeber to restart Apache after changing the conf file.

chris_sharman

authentication

#2 Post by chris_sharman »

I haven't used vms authentication as yet, but I'm fairly hazy on the whole username/password business, and where it fits in the apache/php/mysql environment.
I take it that issuetracker & phpmyadmin are using mysql application-based protection, rather than apache-based ?

What provision is there for restricting users - I've got thousands of customer accounts in our webserver sysuaf now, used for access control by OSU HTTP_SERVER - I wouldn't want them to have phpMyAdmin access.

Is there any good overview of how it all hangs together ?

User avatar
issinoho
Site Admin
Posts: 197
Joined: Tue Feb 01, 2005 12:53 am
Location: Scotland
Contact:

#3 Post by issinoho »

The SWS installation guide is as good a place as any, plus of course most generic Apache documents will also be relevant to SWS,

http://h71000.www7.hp.com/openvms/produ ... all_20.pdf

You're right in your assumption about the security. phpMyAdmin (AFAIK) doesn't have any built-in security (which seems nuts to me!) so unless you secure the share some other way, it's open season.

What I have done, and described below, is tell Apache that to access this share the browser must authenticate first; the method I have chosen (and there are quite a few options) is to authenticate against the SYSUAF accounts. In my case I have told it that "anyone who provides a valid VMS login can have access". If you look at the manual it is possible to make this restrictive to certain accounts and/or groups.

User avatar
WillemGrooters
VMS Guru
Posts: 59
Joined: Wed Jul 20, 2005 10:17 am
Location: Netherlands
Contact:

#4 Post by WillemGrooters »

Indeed, Mod_Auth_Vms checks against UAF, and quite rigoroursly. Access is granted only if NOT DISUSER AND NOT CAPTIVE AND password has not expired ("Require valid-user"). Next, RIGHTSLIST is checked when "Require group" is specified, and access is granted only if the rights identifier you specified here, is granted to that user. Not granted means no acess.
Both can be SSL-protected, so can be secured.

Another issue that can be handy is that "AuthName" can be set to any text, so you can direct your users to what username/password they have to use. handy if you host multiple sites (as I do). Or prove that "IIS is safe" :twisted:

User avatar
Arvid Elstrodt
$ HELP
Posts: 15
Joined: Tue Jan 10, 2006 7:19 pm
Location: Amersfoort, The Netherlands
Contact:

#5 Post by Arvid Elstrodt »

Hi,

As I just wrote in another (my first) post on this forum, I am a complete newbie on OpenVMS, so forgive me my ignorance.

Yesterday night I tried the method described here, but it seemed that OpenVMS (8.2 with ODS-5) doesn't accept ".htaccess" as a filename ?
I know I can configure Apache to take something else than ".htaccess", but I would like to stick as much with things I have already learned on other platforms.

What am I missing ?

User avatar
issinoho
Site Admin
Posts: 197
Joined: Tue Feb 01, 2005 12:53 am
Location: Scotland
Contact:

#6 Post by issinoho »

it seemed that OpenVMS (8.2 with ODS-5) doesn't accept ".htaccess" as a filename ?
This is a perfectly acceptable filename in ODS-5, however make sure you have the following in your login.com,

$ SET PROC/PARSE=EXTEND

User avatar
Arvid Elstrodt
$ HELP
Posts: 15
Joined: Tue Jan 10, 2006 7:19 pm
Location: Amersfoort, The Netherlands
Contact:

#7 Post by Arvid Elstrodt »

Hi,

Thanks again, it works !

At first I didn't succeed, as I was trying to rename a file "hello.txt" or so to ".txt", and variations of that, but without success.

Then I simple tried "$CREATE .TXT" and it worked flawlessly.

I'm sooooo new to VMS :oops:

User avatar
issinoho
Site Admin
Posts: 197
Joined: Tue Feb 01, 2005 12:53 am
Location: Scotland
Contact:

#8 Post by issinoho »

No problem. Feel free to post anything here no matter how dumb you may think it is - we all had to start sometime, right! 8)

User avatar
Arvid Elstrodt
$ HELP
Posts: 15
Joined: Tue Jan 10, 2006 7:19 pm
Location: Amersfoort, The Netherlands
Contact:

#9 Post by Arvid Elstrodt »

Thanks, I appreciate that !

User avatar
WillemGrooters
VMS Guru
Posts: 59
Joined: Wed Jul 20, 2005 10:17 am
Location: Netherlands
Contact:

#10 Post by WillemGrooters »

Arvid Elstrodt wrote:
I know I can configure Apache to take something else than ".htaccess", but I would like to stick as much with things I have already learned on other platforms.
As a seasoned VMS user (you know :D ) I'd say: don't. VMS's way of securing - one of the very best - is built-in when you use MOD_AUTH_OPENVMS. It checks against the SYSTEM that cannot be accessed (unless explicitly intended), not just the username (you can use "require valid-user" which will check against SYSUAF) but aldo against required identifiers (that need to be specified here). If username not valid, password expired or captive account, or miss a specified identifier, and you have no access. This also can be done against a fulkl directory tree and frees the server from accessing each(!) .htaccess file (see the Apache documentation, it warns AGAINST usage of .htaccess, just because of that).

User avatar
Arvid Elstrodt
$ HELP
Posts: 15
Joined: Tue Jan 10, 2006 7:19 pm
Location: Amersfoort, The Netherlands
Contact:

#11 Post by Arvid Elstrodt »

Hi Willem,

It's already done, try /admin on my homepage URL :wink:

Cheers,

Arvid

Post Reply