[Chugalug] Access Control for LAMP

Mike Harrison cluon at geeklabs.com
Sat Oct 6 13:18:53 UTC 2012


> What do you see as the drawbacks of using .htaccess files for authentication?  I feel like this system addresses most of them.

If your only concern is auth, and everyone has the same levels, it works.
Just better make sure thos .htaccess files don't get munged/deleted/etc..

Doing in code allows you to easily apply rules and logic to the auth, such 
as allowed ip addresses, velocity detection (blocking an IP after XX bad 
logins), blacklisting, http referrers, agents, time of use, password 
change rules, allowing users to change passwords (without shelling a 
command to update a .htaccess file that should only be writable by root),
which SSL client certificate can be used..

Doing in code also can be used to tie user attributes to those 
credentials. security levels, access to specific functions, etc...

> I agree, but I have a few services that should be accessible by http (to avoid self-signed cert errors), so I use digest auth, with some stupid
> workaround for IE6.  Works for me since I never have any reason to support IE5.x or older.

Digest auth is not encrypted, just Base64 encoded.

Self-signed cert errors are preferable to plain text. It is easy to add 
them for applications people often use. Suggestion:

Grab TinyCA2 and setup a certificate authority, use client certificates as 
one of the factors for authentication if you want to do some really fun 
stuff.

--Mike---


More information about the Chugalug mailing list