Basic Authentication using DBM based storage

Here Apache HTTP Server makes use of Basic Authentication using DBM storage for authentication database. Make sure to read Setting up Authentication and Authorization before proceeding.

Flatfile based storage stores usernames and passwords in plaintext. Everytime a user is verified, a request is made to the server. So, as the number of user entries increase, the process slows down in proportional to the size of the password file. This is because the server has to open up the password file, and go down the list of users until it gets to the required one. And this has to be done every time a request is made. So there is a practical limit to how many users can be put in a password file. This limit will vary depending on the performance of a particular server, but slowdowns are expected once we get above a few hundred entries.

A solution to this is to store usernames and passwords in a database. Apache HTTP Server currently supports the DBM databases Berkeley DB 2, NDBM, GDBM and SDBM.
Apache HTTP Server provides the utilities dbmmanage and htdbm for creating and managing DBM authentication databases that use Basic HTTP authentication.
There are a number of different DBM file formats in existence. All these libraries use different file formats. dbmmanage/htdbm currently has no way of determining what type of DBM file it is looking at. If used against the wrong format, dbmmanage/htdbm may simply return nothing, or may create a different DBM file with a different name, or at worst, it may corrupt the DBM file if we were attempting to write into it.
We can use the file utility supplied with most Linux/Unix systems to see what format a DBM file is in.
EXAMPLE: # file testfile.dbm

dbmmanage/htdbm prefers the Berkeley DB 2 file format. This is because the order in which dbmmanage/htdbm will look for system libraries is Berkeley DB 2, NDBM, GDBM and SDBM. The first library found will be the library dbmmanage/htdbm will attempt to use for all DBM file transactions.
This format preference is made possible by @AnyDBM::ISA array near the beginning of the dbmmanage/htdbm. This ordering is slightly different than the standard @AnyDBM::ISA ordering in Perl, as well as the ordering used by the simple dbmopen() call in Perl. So if we use any other utilities to manage our DBM files, they must also follow this preference ordering.

 

Basic Authentication using DBM based storage involves the following steps.
1) Configuring Apache HTTP Server
2) Managing Apache Users and Groups
3) Examples

 

 

1) Configuring Apache HTTP Server
Open Apache HTTP Server’s main configuration file httpd.conf.

User authentication using DBM files require the module mod_authn_dbm.so. mod_authn_dbm.so is compiled by default on an Apache HTTP Server installation unless we explicitly disable it using the configure option --enable-mods-shared=few or --disable-authn-dbm. We need to enable it manually.
Look for the line containing mod_authn_dbm.so. Uncomment the line so it looks as shown below.

LoadModule authn_dbm_module modules/mod_authn_dbm.so


Group authentication using DBM files require the module mod_authz_dbm.so. mod_authz_dbm.so is compiled by default on an Apache HTTP Server installation unless we explicitly disable it using the configure option --enable-mods-shared=few or --disable-authz-dbm. We need to enable it manually.
Look for the line containing mod_authz_dbm.so. Uncomment the line so it looks as shown below.

LoadModule authz_dbm_module modules/mod_authz_dbm.so

Save and close the file.


Restart the apache service gracefully.

# service apache graceful

 

 

2) Managing Apache Users and Groups
Apache HTTP Server provides the utilities dbmmanage and htdbm for creating and managing authentication databases that use Basic HTTP authentication. We can use either of them based upon our needs.

Managing Apache Users and Groups using dbmmanage
OR
Managing Apache Users and Groups using htdbm


Managing Apache Users and Groups using dbmmanage
Features of dbmmanage utility are.

  • Can be out of sync with respect to Apache HTTP Server when it comes to the DBM formats used.
  • Cannot be used to select between different DBM formats, instead uses the default format set during install time.
  • Does not support bcrypt hashing algorithm, instead support is only provided for hashing algorithms crypt(), MD5 and SHA1 which are vulnerable.
  • Has the concept of groups.
  • Will be removed in future, after htdbm gains support for group management.

Managing Apache Users using dbmmanage
Let us create an authentication database .htdbm in /usr/local/apache2/ with Apache user auser1. Execute the below command in terminal. We will be asked to type a new password for the user. Type it and press Enter.

# dbmmanage -s /usr/local/apache2/.htdbm adduser auser1
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

adduser
Asks for a password and then adds an entry for username to filename. dbmmanage passwords.dat adduser krietz

username
The user for which the operations are performed. The username may not contain a colon (:).


Let us also add three other Apache users auser2, auser3 and auser4 to the authentication database .htdbm.

# dbmmanage -s /usr/local/apache2/.htdbm adduser auser2
# dbmmanage -s /usr/local/apache2/.htdbm adduser auser3
# dbmmanage -s /usr/local/apache2/.htdbm adduser auser4
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

adduser
Asks for a password and then adds an entry for username to filename. dbmmanage passwords.dat adduser krietz

username
The user for which the operations are performed. The username may not contain a colon (:).


The authentication database .htdbm is currently owned by root and is world readable. Let us set proper permissions for this file. Change the user and group ownership of .htdbm file to apache.

# chown apache:apache /usr/local/apache2/.htdbm


Remove read permissions of others for the .htdbm file.

# chmod o-r /usr/local/apache2/.htdbm
OPTIONS EXPLAINED

o-r
Unset read permission for other users who are not members of the file's group

 

Deleting a user
If we have to delete a user named baduser from the authentication database .htdbm, execute the below command in terminal.

# dbmmanage -s /usr/local/apache2/.htdbm delete auser1
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

delete
Deletes the username entry from filename. dbmmanage passwords.dat delete rbowen

username
The user for which the operations are performed. The username may not contain a colon (:).

This will delete the user named baduser from .htdbm. The permissions of .htdbm file will remain intact.


Listing all users

If we have to list all the users in the authentication database .htdbm, execute the below command in terminal.

# dbmmanage /usr/local/apache2/.htdbm view
OPTIONS EXPLAINED

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

view
Just displays the contents of the DBM file. If you specify a username, it displays the particular record only. dbmmanage passwords.dat view

 

Changing the password of a user
If we have to change the password of user auser1, execute the below command in terminal.

# dbmmanage -s /usr/local/apache2/.htdbm update auser1
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

update
Same as the adduser command, except that it makes sure username already exists in filename. dbmmanage passwords.dat update rbowen

username
The user for which the operations are performed. The username may not contain a colon (:).

 

Verifying the password of a user
If we have to verify the password of user auser1, execute the below command in terminal.

# dbmmanage -s /usr/local/apache2/.htdbm check auser1
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

check
Asks for a password and then checks if username is in filename and if it’s password matches the specified one. dbmmanage passwords.dat check rbowen

username
The user for which the operations are performed. The username may not contain a colon (:).

This will ask us the password of user auser1 for verification.

Managing Apache Groups using dbmmanage
We have four Apache users auser1, auser2, auser3, auser4. Let us create a group agroup12 consisting of users auser1 and auser2, and another group agroup34 consisting of users auser3 and auser4. Execute the below command in terminal.

# dbmmanage -s /usr/local/apache2/.htdbm update auser1 agroup12
# dbmmanage -s /usr/local/apache2/.htdbm update auser2 agroup12
# dbmmanage -s /usr/local/apache2/.htdbm update auser3 agroup34
# dbmmanage -s /usr/local/apache2/.htdbm update auser4 agroup34
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

update
Same as the adduser command, except that it makes sure username already exists in filename. dbmmanage passwords.dat update rbowen

username
The user for which the operations are performed. The username may not contain a colon (:).

group
A group, which the user is member of. A groupname may not contain a colon (:). You may use a hyphen (-) if you don’t want to assign the user to a group, but fill  in the comment field. Additionally when using the update command, a period (.) keeps the original groups untouched.

 

Creating a user with group
If we want to add an Apache user auser5 belonging to a new group agroup56, to the authentication database .htdbm; all in a single step, execute the below command in terminal.

# dbmmanage -s /usr/local/apache2/.htdbm adduser auser5 agroup56
OPTIONS EXPLAINED

-s
SHA1 encryption

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir.

adduser
Asks for a password and then adds an entry for username to filename. dbmmanage passwords.dat adduser krietz

username
The user for which the operations are performed. The username may not contain a colon (:).

group
A group, which the user is member of. A groupname may not contain a colon (:). You may use a hyphen (-) if you don’t want to assign the user to a group, but fill  in the comment field. Additionally when using the update command, a period (.) keeps the original groups untouched.

 


♦ Managing Apache Users and Groups using htdbm

Currently htdbm can only be used to create and manage users. There is no concept of groups in htdbm. Hopefully support for groups will be added in future.

Features of htdbm utility are.

  • Uses exactly the same code as Apache. So the set of database formats used and the default preference are the same.
  • Can be used to select between different DBM formats including SDBM, GDBM, DB, or default format set at install time.
  • Supports bcrypt hashing algorithm in addition to the hashing algorithms crypt(), MD5 and SHA1.
  • Lacks the concept of groups.
  • Will be the default DBM management tool, after gaining support for group management.


Let us create an authentication database .htdbm in /usr/local/apache2/, with Apache user auser1. Execute the below command in terminal. We will be asked to type a new password for the user. Type it and press Enter.

# htdbm -cB /usr/local/apache2/.htdbm auser1

NOTE: If there is an existing password file, the option -c will only work if the password file was created by or follows the exact format as expected by htdbm utility. Otherwise the new authentication details will be appended resulting in a corrupt authentication file.

OPTIONS EXPLAINED

-c
Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.

-B
Use bcrypt encryption for passwords. This is currently considered to be very secure.

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir. If -c is given, the DBM file is created if it does not already exist, or updated if it does exist.

username
The username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.



Let us also add three other Apache users auser2, auser3 and auser4 to the authentication database .htdbm.

# htdbm -B /usr/local/apache2/.htdbm auser2
# htdbm -B /usr/local/apache2/.htdbm auser3
# htdbm -B /usr/local/apache2/.htdbm auser4
OPTIONS EXPLAINED

-B
Use bcrypt encryption for passwords. This is currently considered to be very secure.

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir. If -c is given, the DBM file is created if it does not already exist, or updated if it does exist.

username
The username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.



The authentication database .htdbm is currently owned by root and is world readable. Let us set proper permissions for this file. Change the user and group ownership of .htdbm file to apache.

# chown apache:apache /usr/local/apache2/.htdbm


Remove read permissions of others for the .htdbm file.

# chmod o-r /usr/local/apache2/.htdbm
OPTIONS EXPLAINED

o-r
Unset read permission for other users who are not members of the file's group

 

Deleting a user
If we have to delete a user named baduser from the authentication database .htdbm, execute the below command in terminal.

# htdbm -x /usr/local/apache2/.htdbm baduser
OPTIONS EXPLAINED

-x
Delete user. If the username exists in the specified DBM file, it will be deleted.

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir. If -c is given, the DBM file is created if it does not already exist, or updated if it does exist.

username
The username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

This will delete the user named baduser from .htdbm. The permissions of .htdbm file will remain intact.


Verifying the password of a user
If we have to verify the password of user named auser1, execute the below command in terminal.

# htdbm -v /usr/local/apache2/.htdbm auser1
OPTIONS EXPLAINED

-v
Verify the username and password. The program will print a message indicating whether the supplied password is valid. If the password is invalid, the program exits with error code 3.

filename
The filename of the DBM format file. Usually without the extension .db, .pag, or .dir. If -c is given, the DBM file is created if it does not already exist, or updated if it does exist.

This will ask us the password of user auser1 for verification.

 

 

3) Examples
The sample configurations provided in the below examples should be placed inside the <Directory> or <Location> block of Apache HTTP Server‘s configuration files or inside .htaccess files
Make sure to read Setting up Authentication and Authorization before proceeding.

TIP: Read about htaccess directives.
WARNING: The authentication files should never be accessible to the outside world. If possible they should not be placed within the webserver's URI space. Even if they are placed, Access Control must be implemented denying any access to them.

Apache HTTP Server's main configuration file httpd.conf contains the following lines, that denies access to any files having a filename starting with .ht.
    <Files ".ht*">
         Require all denied
    </Files>
Follow the naming of your authentication files according to this configuration.


EXAMPLE 1: To password protect a directory, with access to only selected users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			user auser1 auser2

This will present the user with a Username & Password prompt when they try to access the specified directory. Only users auser1 and auser2 are authorized to access.


EXAMPLE 2: To password protect a directory, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user

This will present the user with a Username & Password prompt when they try to access the specified directory. All users are authorized to access.


EXAMPLE 3: To password protect a directory, with access to only selected groups, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
AuthDBMGroupFile	/usr/local/apache2/.htdbm
Require			dbm-group agroup12

This will present the user with a Username & Password prompt when they try to access the specified directory. Only users in the group agroup12 are authorized to access.


EXAMPLE 4: To password protect a file, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<Files "file1.jpg">
  Require valid-user
</Files>

This will present the user with a Username & Password prompt when they try to access the specified file file1.jpg. All users are authorized to access.


EXAMPLE 5: To password protect multiple files, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<FilesMatch "(file1.jpg)|(file2.zip)|(file3)">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the specified files file1.jpg, file2.zip, file3. All users are authorized to access.


EXAMPLE 6: To password protect a filetype, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<FilesMatch ".jpg">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files with extension .jpg. All users are authorized to access.


EXAMPLE 7: To password protect multiple filetypes, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<FilesMatch ".(jpg|pdf|zip|rar)$">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files with extensions .jpg, .pdf, .zip, .rar. All users are authorized to access.


EXAMPLE 8: To password protect multiple files/filetypes, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<FilesMatch "file*">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access all files whose filename starts with file. All users are authorized to access.
OR

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
<FilesMatch "(file[1-2].jpg)|(file3)">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files file1.jpg, file2.jpg and file3. All users are authorized to access.


EXAMPLE 9: To password protect everything in a directory, except a single file, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<Files "file1.jpg">
  Require all granted
</Files>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the file file1.jpg. All users are authorized to access.


EXAMPLE 10: To password protect everything in a directory, except multiple files, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<FilesMatch "(file1.jpg)|(file2.zip)|(file3)">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files file1.jpg, file2.zip, file3. All users are authorized to access.


EXAMPLE 11: To password protect everything in a directory, except a specific filetype, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<FilesMatch ".jpg">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files with extension .jpg. All users are authorized to access.


EXAMPLE 12: To password protect everything in a directory, except multiple filetypes, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<FilesMatch ".(jpg|pdf|zip|rar)$">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files with extensions .jpg, .pdf, .zip and .rar. All users are authorized to access.


EXAMPLE 13: To password protect everything in a directory, except multiple files/filetypes, with access to all users, add the below content to configuration file.

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<FilesMatch "file*">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files whose filename starts with file. All users are authorized to access.
OR

AuthName		"Secure Area"
AuthType		Basic
AuthBasicProvider	dbm
AuthDBMType		DB
AuthDBMUserFile		/usr/local/apache2/.htdbm
Require			valid-user
<FilesMatch "(file[1-2].jpg)|(file3)">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files file1.jpg, file2.jpg and file3. All users are authorized to access.


EXAMPLE 14: If we want to disable password protection for a specific directory, add the below content to configuration file.

Require all granted

This will not present the user with the Username & Password prompt when they try to access that directory.

 

 

 

It is recommended to view the following sections.
Basic Authentication using Flatfile based storage
Digest Authentication using Flatfile based storage
Digest Authentication using DBM based storage

OR

You may go back to the following section.
Securing Apache HTTP Server