Update .htpasswd file without ftp / Control Panel access?

Posted: Thu Jan 08, 2004 1:46 am (20 years, 3 months ago)

I recently took over administration of my organization's web site. A password is required to allow members to get into anything behind the "Members-only" sub-directory where the .htaccess and .htpasswd files are.

The guy that used to administer the website didn't keep up with issuing passwords. People who have been members for 6 months still don't have access and people who have not been members for 2 or 3 years still have access. In fact, the guy simply disappeared with most of the organizations records, so we don't even have a current members list.

On top of running my own business, I have too many other website related problems to be able to catch that part of this thing up by myself. And there are "volunteers" available.

But the only access to web host's Password utility is through the website's "Control Panel." And the hosting company has no provision to assign additional passwords with limited access to parts of the control panel.

Anyone who has Control Panel and ftp access could do anything they want to the website. I'm not even a little bit comfortable giving a volunteer that kind of access. Just way too much opportunity to inadvertantly mess something while snooping around...

I've read .htaccess turorials, and searched the internet for .htpassword utilities, and the more I read, the more confused I get. I have enough understanding of HTML, CSS and SSI to get by, and have actually been able to get a couple of java scripts (written by others) to work in the 3 websites I administer. Beyond that, I'm totally in the dark. (Guess I'm not as much of a geek as my wife thinks I am...)

I probably not phrasing this question correctly. I have found .htpasswd utilities that will generate encripted passwords like the one on this website. But just encripting the password does not get it into the .htpasswd file in the protected directory.

Do any of you know of a script or program that can reside in the protected directory, that will allow a "volunteer" having only access to the sub-directory to issue .htaccess usernames and passwords?

Or perhaps a script or program that will allow the volunteer to enter the username and encripted password to the .htpasswd file in the protected directory - without giving that volunteer the website's ftp / control panel password and username?

The web hosting company's "technical support" guy told me "it can't be done." I just have a hard time accepting that. (Perhaps we need to change hosting companies.) Can you guys hepl me with this?

Thanks, Rick

Junior WebHelper Joined: 10 Jan 2004 Posts: 2

I would like to get this to work as well...here's what I have so far. It works great, it's just not using the right encryption method for apache htpasswd files...I can't seem to figure out how to get "testpass" to encrypt the same way that the htpasswd binary does it.

The htpasswd binary creates this:
$apr1$ta3.....$TCOvaJ3d4QbMyjtai3rpB0

Using the PHP crypt function, I get this:
$1$6U3.Vi/.$ObBIBnm.LlVM4IeUqzF1T0

I thought I had it working before, but I guess not. Let me know if this gets you anywhere (or if you figure out how to do it Smile

).

Execute it this way:
http://www.domain.tld/thisphpfile.php?user=usergoeshere&pass=passgoeshere

Code:

<?
//GET FILENAMES
$HTPasswdFile = '.htpasswd';
$HTAccessFile = '.htaccess';

//RETRIEVE USER/PASS
$NewUser = "$_GET[user]";
$NewPass = "$_GET[pass]";

//WRITE TO HTACCESS FILE
$HTAccessFileHandle = fopen($HTAccessFile,'w');
fputs($HTAccessFileHandle, "AuthUserFile $HTPasswdFile\nAuthGroupFile /dev/null\nAuthName 'Restricted Directory'\nAuthType Basic\nrequire user $NewUser\n");
fclose($HTAccessFileHandle);

//ENCRYPT PASSWORD
$NewPassEncrypted = crypt($NewPass);

//WRITE TO HTPASSWD FILE
$HTPasswdFileHandle = fopen($HTPasswdFile,'w');
fputs($HTPasswdFileHandle, "$NewUser:$NewPassEncrypted\n");
fclose($HTPasswdFileHandle);
?>

Junior WebHelper Joined: 10 Jan 2004 Posts: 2

Here's a modified version that works great! There's one catch though...you need to have execute permission for the apache htpasswd binary (and know where it is).

Code:

<?
//GET FILENAMES
$HTPasswdBinary = '/usr/local/apache2/bin/htpasswd';
//$HTPasswdBinary = 'C:/Progra~1/Apache~1/Apache/bin/htpasswd.exe';
$HTPasswdFile = $_SERVER['DOCUMENT_ROOT'] . '/testdir/.htpasswd';
$HTAccessFile = $_SERVER['DOCUMENT_ROOT'] . '/testdir/.htaccess';

//RETRIEVE USER/PASS
$NewUser = "$_GET[user]";
$NewPass = "$_GET[pass]";

//WRITE TO HTACCESS FILE
$HTAccessFileHandle = fopen($HTAccessFile,'w');
fputs($HTAccessFileHandle, "AuthUserFile $HTPasswdFile\nAuthGroupFile /dev/null\nAuthName 'Restricted Directory'\nAuthType Basic\nrequire user $NewUser\n");
fclose($HTAccessFileHandle);

//CREATE HTPASSWD FILE
system("$HTPasswdBinary -cb $HTPasswdFile $NewUser $NewPass");
?>

For multiple users in a single directory:

Code:

<?
//GET FILENAMES
$HTPasswdBinary = '/usr/local/apache2/bin/htpasswd';
//$HTPasswdBinary = 'C:/Progra~1/Apache~1/Apache/bin/htpasswd.exe';
$HTPasswdFile = $_SERVER['DOCUMENT_ROOT'] . '/testdir/.htpasswd';
$HTAccessFile = $_SERVER['DOCUMENT_ROOT'] . '/testdir/.htaccess';

//RETRIEVE USER/PASS
$NewUser = "$_GET[user]";
$NewPass = "$_GET[pass]";

//WRITE TO HTACCESS FILE
if(!file_exists($HTAccessFile)){
   $HTAccessFileHandle = fopen($HTAccessFile,'w');
   fputs($HTAccessFileHandle,"AuthUserFile $HTPasswdFile\nAuthGroupFile /dev/null\nAuthName 'Restricted Directory'\nAuthType Basic\n");
}else{
   $HTAccessFileHandle = fopen($HTAccessFile,'a');
}
fputs($HTAccessFileHandle,"require user $NewUser\n");
fclose($HTAccessFileHandle);

//CREATE HTPASSWD FILE
if(file_exists($HTPasswdFile)){
   system("$HTPasswdBinary -b $HTPasswdFile $NewUser $NewPass");
}else{
   system("$HTPasswdBinary -cb $HTPasswdFile $NewUser $NewPass");
}
?>